QR Code Generator leaks secret to third party

[phayes]

When generating a QR code, this library sends the shared secret, which should be kept absolutely secret, to a third party website for processing into a QRcode image.

Leaking the shared secret like this is very undesirable in a security focused library. QRCode generation should happen locally.

[PHPGangsta]

You can of cause use your own QRCode generation library. The Google QRCode generator is just an easy and quick example. Google does not know which account it's connected to, and I guess has better things to do then trying to abuse the generated QRCodes...

I don't want to add a dependency to an external library, which many people don't need. And nobody stops you from calling createSecret() and feed that into your own local QRCode generator.

Maybe I should add a small comment, that for 100% security a user should not use the Google QRCode generator, but a local one? Can you recomment a good PHP QRCode generator which is easy to use as a dependency for local QRCode generation?

[RobThree]

You may want to take a look at this alternative. It allows for easy integration of your favorite QR code generator.

Having said that: yes, the secret should be kept secret as much as possible but there are a few things to consider:

• It's part of a 2FA, even if a third party had the secret, they have no way of having the other factor (username/password usually)
• This library (PHPGangsta's that is) may "push" developers towards simply including an <img src="https://www.google.com/chart"... which would give Google an idea of the IP (or whatever) associated with the secret; TwoFactorAuth mitigates this by requesting the QR-code server-side so all secrets are sent to the same host so Google (or whomever) won't know where the secret was sent to. And, as mentioned, TwoFactorAuth allows for easy integration of your own server-side QR-code library so you won't have to rely on third parties at all (which is, indeed, even more secure).

TwoFactorAuth also mitigates other attack-vectors this library has (see issues and PR's) such as using a CSRNG by default (non CS (i.e. PRNG) opt-in/allowed though) and timing side-channel attacks and is available as a composer package and is has a very similar API with PHPGangsta's.

Full disclosure: I am the developer of the mentioned TwoFactorAuth library.