You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Marcos (Jira)" <ji...@apache.org> on 2020/05/09 15:06:00 UTC
[jira] [Created] (GUACAMOLE-1068) OTP key can be "intercepted"
without the user knowing it if credentials are known until enrolment is
finished
Marcos created GUACAMOLE-1068:
---------------------------------
Summary: OTP key can be "intercepted" without the user knowing it if credentials are known until enrolment is finished
Key: GUACAMOLE-1068
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1068
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-totp
Affects Versions: 1.1.0
Reporter: Marcos
When activating TOTP 2 factor authentication, the first time a user enters his credentials, the TOTP key is inserted in the database and the QR code is shown. If the user does not complete the enrollment by entering the OTP code, the key remains in the database and it will be reused next time he tries again.
This opens a window between when the account is created and when the user indeed verifies the OTP token, where an attacker that already knows the username and password of the user, can get the generated OTP token. It will be the same that the user gets when he finishes enrolment. The user doesn't know that this key has been stolen and can be used in the future.
Security would be increased if the key would be generated randomly every time until the pin code is entered and the enrolment process is finished, as the malicious user would get a different key, and only the key validated by entering the pin would be stored in the database. The attacker would be able to get a key, but when the legitimate user tries to login and the QR code is not displayed anymore the attack would be uncovered.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)