[Koha-bugs] [Bug 28787] Send a notice with the TOTP token
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu May 26 02:23:38 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787
--- Comment #11 from David Cook <dcook at prosentient.com.au> ---
(In reply to Marcel de Rooy from comment #9)
> (In reply to David Cook from comment #5)
>
> > This looks like a hack. We should pass the code in via a public
> > method/function. That said, it looks like this OTP will wind up in the
> > message_queue table?
>
> How vulnerable is that? Surely, the token will be expired very quickly but
> can we get back to the originating secret? And that said, would an attack on
> the email not have a higher chance of success ?
>
> https://security.stackexchange.com/questions/42671/is-oath-totp-and-or-
> google-authenticator-vulnerable-if-an-attacker-has-n-pre
I'm not an expert on the topic, but in theory you could try an offline brute
force attack that could potentially reveal the secret eventually, although I
imagine we're using complex enough secrets that it would probably be
computationally improbable at this time.
Technically, I suppose we could encrypt the email contents at rest (like
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html), but
I think the risk is small enough that can be a future enhancement...
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list