Marcos created GUACAMOLE-1068:
---------------------------------
Summary: OTP key can be "intercepted" without the user knowing it
if credentials are known until enrolment is finished
Key: GUACAMOLE-1068
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1068
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-totp
Affects Versions: 1.1.0
Reporter: Marcos
When activating TOTP 2 factor authentication, the first time a user enters his
credentials, the TOTP key is inserted in the database and the QR code is shown.
If the user does not complete the enrollment by entering the OTP code, the key
remains in the database and it will be reused next time he tries again.
This opens a window between when the account is created and when the user
indeed verifies the OTP token, where an attacker that already knows the
username and password of the user, can get the generated OTP token. It will be
the same that the user gets when he finishes enrolment. The user doesn't know
that this key has been stolen and can be used in the future.
Security would be increased if the key would be generated randomly every time
until the pin code is entered and the enrolment process is finished, as the
malicious user would get a different key, and only the key validated by
entering the pin would be stored in the database. The attacker would be able to
get a key, but when the legitimate user tries to login and the QR code is not
displayed anymore the attack would be uncovered.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
