https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787
--- Comment #11 from David Cook <[email protected]> --- (In reply to Marcel de Rooy from comment #9) > (In reply to David Cook from comment #5) > > > This looks like a hack. We should pass the code in via a public > > method/function. That said, it looks like this OTP will wind up in the > > message_queue table? > > How vulnerable is that? Surely, the token will be expired very quickly but > can we get back to the originating secret? And that said, would an attack on > the email not have a higher chance of success ? > > https://security.stackexchange.com/questions/42671/is-oath-totp-and-or- > google-authenticator-vulnerable-if-an-attacker-has-n-pre I'm not an expert on the topic, but in theory you could try an offline brute force attack that could potentially reveal the secret eventually, although I imagine we're using complex enough secrets that it would probably be computationally improbable at this time. Technically, I suppose we could encrypt the email contents at rest (like https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html), but I think the risk is small enough that can be a future enhancement... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
