[GH-ISSUE #22] Security Alert: Susceptible to MITM Attacks #12

New issue

Closed

opened 2026-02-25 20:32:11 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 20:32:11 +03:00

Owner

Originally created by @arleslie on GitHub (Dec 23, 2015).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/22

In the documentation it suggests using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    $user->email,
    $user->google2fa_secret
);

This generates a URL to Google Charts.
Using this URL creates a GET request which allows all of the information to sniffed.

Using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    'email',
    'OhHeyThe2faSecret'
);

Returns: https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the &chl= part you get: otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany

The QR code should be generated server side rather than being passed to a 3rd Party.

Originally created by @arleslie on GitHub (Dec 23, 2015). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/22 In the documentation it suggests using: ``` $google2fa_url = Google2FA::getQRCodeGoogleUrl( 'YourCompany', $user->email, $user->google2fa_secret ); ``` This generates a URL to Google Charts. Using this URL creates a GET request which allows _all_ of the information to sniffed. Using: ``` $google2fa_url = Google2FA::getQRCodeGoogleUrl( 'YourCompany', 'email', 'OhHeyThe2faSecret' ); ``` Returns: `https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany` If you decode the `&chl=` part you get: `otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany` The QR code should be generated server side rather than being passed to a 3rd Party.

kerem closed this issue

2026-02-25 20:32:11 +03:00

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@arleslie commented on GitHub (Dec 23, 2015):

It should be recommended to use Google2FA::getQRCodeInline().

@arleslie commented on GitHub (Dec 23, 2015): It should be recommended to use `Google2FA::getQRCodeInline()`.

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@arleslie commented on GitHub (Dec 23, 2015):

Per a little bit more research it appears GET requests are protected with SSL.
My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)

@arleslie commented on GitHub (Dec 23, 2015): Per a little bit more research it appears GET requests are protected with SSL. My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@GrahamCampbell commented on GitHub (Dec 23, 2015):

Yeh, SSL means the whole request in encrypted.

@GrahamCampbell commented on GitHub (Dec 23, 2015): Yeh, SSL means the whole request in encrypted.

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@GrahamCampbell commented on GitHub (Dec 23, 2015):