Support login with verification code

[ldzhjn]

Can we support login with verification code? Now Duochrome is throwing below exception 400 - Bad Request {\"code\":40014,\"message\":\"Please enter the verification code to respond to this login.\",\"stat\":\"FAIL\"}"

The workflow is like this: Duo login page will pop out with four or six digits verification code. Enter these these digits in the Duochrome and press login.

[FreshSupaSulley]

Sorry I'm a bit confused. Is this a feature request, or is the new update breaking the functionality of older versions and is throwing that error?

Are you referring to functionality like this? I would be down to add this feature but I don't have a way to test this workflow and put it into the extension. I'm a student and my organization uses push requests, not codes to approve logins so I can't study the HTTP traffic.

[ldzhjn]

Sorry I'm a bit confused. Is this a feature request, or is the new update breaking the functionality of older versions and is throwing that error?

Are you referring to functionality like this? I would be down to add this feature but I don't have a way to test this workflow and put it into the extension. I'm a student and my organization uses push requests, not codes to approve logins so I can't study the HTTP traffic.

Yes, this is a feature request. Is is possible for me to provide sniffed HTTP packets so that you can work on this? Thanks

[FreshSupaSulley]

That would be great.

[FreshSupaSulley]

@ldzhjn I used Android Studio to setup an emulator and use HTTP Toolkit to sniff the packets. When the activation packet gets sent through, it attaches a "jailbroken: true" property to the request. You can use HTTP Toolkit to intercept this traffic, change it to false, and send it. But before you do any of that, there's the issue of SSL pinning. I used a Frida SSL unpinning script to view the HTTPS traffic.

This is a lot of work. Is there a way I can get an account for your organization and I can try reading the traffic instead?

[ldzhjn]

@FreshSupaSulley It's not possible to get an account from my organization because of security concerns. Thanks for the guideline, I managed to setup HTTP Toolkit now. But stuck at SSL unpinning, it's showing

 !!! --- Unexpected TLS failure --- !!!
      CertificateException: Unable to construct a valid chain
      Thrown by mj.q1->h
      [ ] Unrecognized TLS error - this must be patched manually

The same command and script works on Twitter app though. Any tips?

[FreshSupaSulley]

Strange. Try different Frida scripts online? There should be a lot of SSL unpinning ones available.

This tutorial is pretty close to what I ended up with: https://youtu.be/hfmjpd0n3sM?si=uidKTs55WXwsEblm

[ldzhjn]

Here's the http request to send verification code to Duo server. step_up_code is the verification code

curl -X $'POST' \
    -H $'Host: api-123.duosecurity.com' -H $'Authorization: Basic token' -H $'X-Duo-Date: Wed, 15 May 2024 08:36:02 -0000' -H $'User-Agent: DuoMobileApp/4.64.0 (Phone Model) okhttp3/4.11.0' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 838' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: close' \
    --data-binary $'answer=approve&push_received=true&pull_to_refresh_used=false&from_wearable=false&used_actions=false&touchid=false&step_up_code=1111&step_up_code_autofilled=false&in_work_profile=false&app_install_id=id&app_version=4.64.0&using_auto_time=true&has_duo_wear=false&ble_status=undetermined&jailbroken=false&security_patch_level=2024-04-05&language=en&version=13&platform=Android&manufacturer=S&has_wearable=false&days_since_last_system_backup_attempt=unknown&encrypted_system_backup_available=unknown&app_build_number=464010&passcode_status=true&full_disk_encryption=true&model=S&play_services_available=true&touchid_status=true&region=US&app_id=com.duosecurity.duomobile&architecture=aarch64&akey=DAR&hsm_status=true&fips_status=1&otp_gen_state=hotp&pkpush=rsa-sha512' \
    $'https://api-123.duosecurity.com/push/v2/device/transactions/(transactionsId)'