I know you have more experiences at this stage than me.<div><br></div><div>I don't worry about hacking the phone. But somewhere the QRCode has to be generated. It is often done with things lik jquery.qrcode(uri). The uri has to be retrieved from the backend to be able to generate the qrcode. </div>
<div>I could assume an attack at the qrcode generation stage, due to the fact that this is done in javascript.</div><div><br></div><div>So the risk is not the phone, it is the browser where the qrcode will be displayed.</div>
<div><br></div><div>wdyt? :)</div><div class="gmail_extra"><br><br><div class="gmail_quote">2012/12/18 Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm just trying to understand, the shared secret **can never** be sent across the network, in our case that's the reason why you must scan the QRCode to generate tokens, exactly to do not transmit it across the network.<br>
<br>
So XSS attacks can decode an image and grab my secret? I'm interested in reproduce this kind of attack, do you have the sources?<br>
<br>
I didn't say nothing about contributions, I'm just curious about how you could hack mobile's phone camera. I'd love to learn.<br>
<div class="im"><br>
--<br>
"The measure of a man is what he does with power" - Plato<br>
-<br>
@abstractj<br>
-<br>
Volenti Nihil Difficile<br>
<br>
<br>
<br>
</div><div class="im">On Tuesday, December 18, 2012 at 6:48 PM, Daniel Manzke wrote:<br>
<br>
> The man-in-the-middle could be between your web client and server. You have to call the server and than generate it. With XSS-Attacks there are a lot of ways to read the qrcode.<br>
> This means the secret is exposed and you can generate a valid token. ;)<br>
><br>
> If you don't want the contribution I'm going to fork and have my own version of aerogear-otp-java. No problem. ;)<br>
><br>
><br>
</div>> 2012/12/18 Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a> (mailto:<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>)><br>
<div class="im">> > Sorry Daniel, but I can't see how someone can intercept your phone's camera while you're scanning the QRCode, doesn't exist any communication between the client and the server. That's the reason why QRCode exists.<br>
> ><br>
> > Here you can check more about how it works <a href="http://aerogear.org/docs/specs/aerogear-security-otp/" target="_blank">http://aerogear.org/docs/specs/aerogear-security-otp/</a>. IMO the idea of input a PIN, sounds more like a HOTP, because it relies in some event to happen to have a new token. Add a large delay window like 60s will expose you to the man-in-the-middle attacks, allowing to reuse your token.<br>
> ><br>
> ><br>
> > --<br>
> > "The measure of a man is what he does with power" - Plato<br>
> > -<br>
> > @abstractj<br>
> > -<br>
> > Volenti Nihil Difficile<br>
> ><br>
> ><br>
> ><br>
> > On Tuesday, December 18, 2012 at 3:09 PM, Daniel Manzke wrote:<br>
> ><br>
> > > With TOTP you have to share a secret. This secret will be shared with the help of a link or qrcode. This can be catched by a man in the middle attack<br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
</div>> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
<div class="im">> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Viele Grüße/Best Regards<br>
><br>
> Daniel Manzke<br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
</div>> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Viele Grüße/Best Regards<br><br>Daniel Manzke<br>
</div>