search

alexzorin / authy

Go library and program to access your Authy TOTP secrets.
MIT License
800 stars 58 forks source link

Failure in decrypt not assumed to be a wrong password #2

Open Tsaukpaetra opened 4 years ago

Tsaukpaetra commented 4 years ago

Console log:

2019/07/30 01:15:13 Found existing device registration
2019/07/30 01:15:13 Authy User ID {{OBFUSCATED}}, Device ID {{OBFUSCATED}}
2019/07/30 01:15:13 Please provide your Authy TOTP backup password:
2019/07/30 01:15:17 Here are your authenticator tokens:

panic: runtime error: slice bounds out of range

goroutine 1 [running]:
github.com/alexzorin/authy.decryptToken({{OBFUSCATED}})
        /home/travis/gopath/src/github.com/alexzorin/authy/crypto.go:110 +0x4bb
github.com/alexzorin/authy.AuthenticatorToken.Decrypt({{OBFUSCATED}})
        /home/travis/gopath/src/github.com/alexzorin/authy/objects.go:175 +0x88
main.main()
        /home/travis/gopath/src/github.com/alexzorin/authy/cmd/authy-export/authy-export.go:71 +0x631

Strange that it was a panic, but there you go. :)

For those who aren't launching the tool in terminal, might include one last "Press any key to exit" prompt, the window just disappears upon completion.

alexzorin commented 4 years ago

The decryption panic snuck in when I fixed an earler decryption unpadding issue, oops. https://github.com/alexzorin/authy/commit/3eabc63e630f7e0a5252c69d9bddf9b0d8338088 should fix it.

That said, I think that this error almost certainly means either wrong password or bad data.

Couple of things you can do:

For those who aren't launching the tool in terminal, might include one last "Press any key to exit" prompt, the window just disappears upon completion.

I guess this is specific to Windows? Makes sense, but I'm not sure if there's a way to tell whether a user ran via "double click" rather than from cmd.exe. It's got a terminal attached either way. I'll have a think.

Tsaukpaetra commented 4 years ago

Yeah, I just fat-fingered the password when I discovered it.

The terminal thing might not necessarily be Windows-only, haven't tried it on anything else though. I don't recall if it's possible to know if the program was launched directly or inside the terminal, but I'm betting the answer would be no.