search

conorgil / 2fa-notifier

2FA Notifier is a web extension that notifies users whether or not the sites they visit support two factor authentication (2FA).
https://2fanotifier.org
MIT License
41 stars 7 forks source link

subdomains are not being recognised. #105

Closed thinksabin closed 4 years ago

thinksabin commented 5 years ago

hi, thanks for the great tool. I dug into this after watching Tanya's OWASP DevSlop video. And i found out this application is kind of data driven. I'm guessing data is in this file. (https://github.com/conorgil/2fa-notifier/blob/master/src/typescript/utils/dataService.ts)

In a Tanya's video she got false negative result notification cause she uses https://my.wealthsimple.com/app/login?redirect=%252F page which is the subdomain for login. And although your data does include wealthsimple.com in the list. The application is not parsing subdomains and hence false negative.

replication steps:

  1. browse: https://www.wealthsimple.com/en-ca/ Green tick in the 2fa-notifier icon
  2. click 'login' button in https://www.wealthsimple.com/en-ca/ sites redirects to the subdomain and the no more green tick in the 2fa-notifier

Thanks for this great tool again. Will love to it grow.

conorgil commented 4 years ago

Thanks for filing this issue! Issue #90 discusses this same problem. I just need to find the time to update the code and release a fix.