Proton Authenticator logs full TOTP secrets in plaintext

This is concerning, I switched to their Authenticator a few days ago, being a Proton customer already. This is the kind of mistake that should not be happening in their products.

https://www.bleepingcomputer.com/news/security/proton-fixes-...

"Your post has been removed for being too specific to a company or single product. These days, reddit is heavily astroturfed with fake posts asking questions about companies and services by shills of those same companies and services as a form of fake organic advertising, and by competitors trying to create FUD to benefit their own product or service. This often takes the form or character assassination, libel, and conspiracy theories. We don’t allow it, and in order to keep it from happening, we remove posts that are too close to astroturfing, corporate comparisons, personal Nd political opinions, ranting diatribes, etc. If your question was legitimate (asking for pros and cons, potential issues, comparisons, etc), feel free to use subreddits more appropriate such as one for the company or service mentioned, or see privacyguides.org for community comparisons and recommendations to privacy focused open source software."

and

"Thanks for reporting this, this is an oversight in our iOS app, it should only log the entry ID and not the secret (this is the way it is done in our Android app). This will be changed in the next version of the app. Note, secrets are never transmitted to the server in plaintext, and all sync of secrets is done with end-to-end encryption. Logs are local only (never sent to the server), and these secrets can also be exported on your device to meet GDPR data portability requirements. In other words, even if this was not in the logs, somebody who has access to your device to get these logs, would still be able to obtain the secrets. Proton's encryption cannot protect against device side compromise, so you must always secure your device. EDIT: This is fixed in 1.1.1, which is live on the App Store"

and

"Proton Authenticator uses end-to-end encryption. The server-side code doesn't really matter since all the encryption is done on the client side. Furthermore, it is open source, so you can go on GitHub and check the code to see that it does indeed encrypt client-side. You don't have to trust it, because it can be independently verified. It is also very easy to independently verify that Proton Authenticator does indeed end-to-end encrypt and sends no secrets to the server, as it is not a very complicated app."