starred/google2fa

Fork 0

mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-27 09:05:49 +03:00

[GH-ISSUE #22] Security Alert: Susceptible to MITM Attacks #479

New issue

Closed

opened 2026-03-14 11:54:20 +03:00 by kerem · 4 comments

kerem commented

2026-03-14 11:54:20 +03:00

Owner

Originally created by @arleslie on GitHub (Dec 23, 2015).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/22

In the documentation it suggests using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    $user->email,
    $user->google2fa_secret
);

This generates a URL to Google Charts.
Using this URL creates a GET request which allows all of the information to sniffed.

Using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    'email',
    'OhHeyThe2faSecret'
);

Returns: https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the &chl= part you get: otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany

The QR code should be generated server side rather than being passed to a 3rd Party.

Originally created by @arleslie on GitHub (Dec 23, 2015). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/22 In the documentation it suggests using: ``` $google2fa_url = Google2FA::getQRCodeGoogleUrl( 'YourCompany', $user->email, $user->google2fa_secret ); ``` This generates a URL to Google Charts. Using this URL creates a GET request which allows _all_ of the information to sniffed. Using: ``` $google2fa_url = Google2FA::getQRCodeGoogleUrl( 'YourCompany', 'email', 'OhHeyThe2faSecret' ); ``` Returns: `https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany` If you decode the `&chl=` part you get: `otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany` The QR code should be generated server side rather than being passed to a 3rd Party.

kerem closed this issue

2026-03-14 11:54:25 +03:00

kerem commented

2026-03-14 11:54:31 +03:00

Author

Owner

@arleslie commented on GitHub (Dec 23, 2015):

It should be recommended to use Google2FA::getQRCodeInline().

@arleslie commented on GitHub (Dec 23, 2015): It should be recommended to use `Google2FA::getQRCodeInline()`.

kerem commented

2026-03-14 11:54:36 +03:00

Author

Owner

@arleslie commented on GitHub (Dec 23, 2015):

Per a little bit more research it appears GET requests are protected with SSL.
My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)

@arleslie commented on GitHub (Dec 23, 2015): Per a little bit more research it appears GET requests are protected with SSL. My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)

kerem commented

2026-03-14 11:54:41 +03:00

Author

Owner

@GrahamCampbell commented on GitHub (Dec 23, 2015):

Yeh, SSL means the whole request in encrypted.

@GrahamCampbell commented on GitHub (Dec 23, 2015): Yeh, SSL means the whole request in encrypted.

kerem commented

2026-03-14 11:54:46 +03:00

Author

Owner

@GrahamCampbell commented on GitHub (Dec 23, 2015):

The URI is part of that.

@GrahamCampbell commented on GitHub (Dec 23, 2015): The URI is part of that.

No labels

bug

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#479

No description provided.

Rows
Columns