Skip to content

Instantly share code, notes, and snippets.

@andresriancho

andresriancho/totp-secret-leak.md

Last active January 28, 2021 12:08
Show Gist options
  • Save andresriancho/afaec904e89431cbd9d2ba4ff18e60b6 to your computer and use it in GitHub Desktop.
Save andresriancho/afaec904e89431cbd9d2ba4ff18e60b6 to your computer and use it in GitHub Desktop.
Download ZIP
TOTP secrets leaked to Google via charts API
Raw
totp-secret-leak.md

TL;DR

When implementing 2FA it's a bad idea to generate the QR image containing the TOTP secret using Google charts:

<img src="https://chart.googleapis.com/
          chart?chl=otpauth%3A%2F%2Ftotp%2F...secret%3Dacl...mwv&amp;chs=200x200&amp;cht=qr" />

Paranoid mode: ON

Google tracks all your internet moves and could easily exploit this vulnerability to bypass 2FA:

  • Google knows the email associated with the user generating the QR code (cookies everywhere)
  • Google receives a Referer from your browser when the QR image is generated, so it knows where the TOTP can be used

Add those two facts with a potential password re-use between Gmail and your 2FA-"protected" application and you have something really bad in your hands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment