After a 13-year-long wait, Google Authenticator has added a 2FA account-sync feature that allows its users to back up their 2FA code sequences into the cloud, after which they can restore them back into a new device.
Though the process in which a user uploads their 2FA secrets is encrypted, researchers at Naked Security by Sophos and iOS developers at Mysk reported that a user's 2FA details were "unencrypted inside Google's HTTPS network packets." Furthermore, there is no option in which a user can encrypt their upload using a passphrase prior to it leaving their device.
This is concerning due to the fact that once the encryption for the transportation of the data is removed after the upload has arrived, the data is available to Google and virtually anyone else who is in search of this information, including anyone with a search warrant.
While it's possible that Google might address this security issue in the future, researchers at Mysk "recommend using the app without the new syncing feature for now."
"Although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets," said Mysk researchers in a tweet.