Joomla! Issue Tracker | Joomla! CMS #30195 - Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit" code (more privacy and more security)

Closed
29 Jul 2020
Medium
Build: staging
# 30195

danjde
26 Jul 2020

Hi Friends,
I've always wondered if there was any Google tracking code in "Two Factor Authentication - Google Authenticator" plugin.

So I'm I started looking at the libpam Google code from which it should draw and I've find this call stack:

if (encoderURL) {
    // Show a QR code.
    const char *encoder = "https://www.google.com/chart?chs=200x200&"
                          "chld=M|0&cht=qr&chl=";
    const char *encodedURL = urlEncode(url);

    *encoderURL = strcat(strcpy(malloc(strlen(encoder) +
                                       strlen(encodedURL) + 1),
                                encoder), encodedURL);
    free((void *)encodedURL);
  }

where Google admits to have access to tocken:

printf("Warning: pasting the following URL into your browser exposes the OTP secret to Google:\n %s\n", encoderURL);

So I've write for more information to the google-authenticator-libpam developers , and open an issue (immediately archived), if you want to deepen..

Coming back to Joomla!, what do you think about "Two Factor Authentication - Google Authenticator" and Joomla! users privacy?

Why do not use code more respectful of privacy (but also of security) for Joomla!? And try to keep Google as much as possible out of our lives?

Many thanks!

Davide

danjde - open - 26 Jul 2020

joomla-cms-bot - change - 26 Jul 2020

Labels

Added: ?

joomla-cms-bot - labeled - 26 Jul 2020

danjde - change - 26 Jul 2020

Title

…

Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit"

Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit" code (more privacy and more security)

danjde - edited - 26 Jul 2020

brianteeman - comment - 26 Jul 2020

To the best of my knowledge joomla does not use that library and the terminology of "google authenticator" is used to describe the type of authenticatication and it clearly states that
"This feature allows you to use Google Authenticator, or a compatible application such as FreeOTP, for two factor authentication."

But please check the code I could be wrong

ReLater - comment - 27 Jul 2020

Then we should call it "FreeOTP Authenticator" and add a hint that it can also be used with GA.
(I'm just joking but I never used this Authenticator plugin because of "Google" in the name. Hence it was clear for me that G participates (again) when I use it.).

Just BTW: In the German plugin description "FreeOTP" is not mentioned.

danjde - comment - 27 Jul 2020

Should be interesting to know if "Two Factor Authentication - Google Authenticator" plugin uses or not google code.
A simple "grep" into plugins/twofactorauth/ does not return any google call, but this could be not sufficient for to be safe from Google!

What code was used from developers for 2FA on "Joomla!" 3.x?

And then the name (Google)! It can't really stand it! With all the tools/apps that allow you to create codes HOTP!!
Please change it ;-)

Davide

brianteeman - comment - 27 Jul 2020

@danjde the joomla code is open feel free to check it yourself and confirm what I already wrote

PhilETaylor - comment - 29 Jul 2020

The issue reported is that in some implementations the QR Code is drawn by a call to a Google URL.

Eg: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=

However, Joomla (3) doesnt use a remote service to render the QR Code, it uses Javascript (see: https://github.com/joomla/joomla-cms/blob/f4ef944a8f3c305dc0314ef41c678a2f9b266756/media/plg_twofactorauth_totp/js/qrcode.js)

Therefore the secret is NOT passed to Google!

Google Authenticator is the most known totp code generator. Others, as has been said, are available, but they are all compatible (mostly). I personally use 1Password app which stores and generates my totp codes.

~~People~~ Users are more likely to know what "Google Authenticator" is than calling it "Any TOTP Code Generator"..

PhilETaylor - comment - 29 Jul 2020

And as for checking the code, the class used is https://github.com/joomla/joomla-cms/blob/d3fb98cb9ba20a6e03b78ba7ee269b336c04862f/libraries/fof/encrypt/totp.php which doesnt use google either.

There is a google url in that class, but as I have said, its not used, and javascript is used to generate the QR code.

PhilETaylor - comment - 29 Jul 2020

Lastly, the suggestion that the project

Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit" code

is laughable ...

The OathToolkit is:

The components included in the package is:
liboath: A shared and static C library for OATH handling.
oathtool: A command line tool for generating and validating OTPs.
pam_oath: A PAM module for pluggable login authentication for OATH.
libpskc: A shared and static C library for PSKC handling.
pskctool: A command line tool for manipulating PSKC data.

I would love to see how you suggest implementing that in the mass-market PHP Application that runs on shared web hosts.

brianteeman - comment - 29 Jul 2020

this really should be closed as it is not an issue

Quy - change - 29 Jul 2020

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2020-07-29 22:24:32
Closed_By		⇒	Quy

Quy - close - 29 Jul 2020

danjde - comment - 30 Jul 2020

It was exactly the sloth that led Hitler to the government of Nazi Germany.
Google is no less and this time the whole planet is at stake.
Good Luck!

Davide

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#30195] - Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit" code (more privacy and more security)

Add a Comment