search

scito / extract_otp_secrets

Extract one time password (OTP) secrets from QR codes exported by two-factor authentication (2FA) apps such as "Google Authenticator". The exported QR codes from authentication apps can be captured by camera, read from images, or read from text files. The secrets can be exported to JSON or CSV, or printed as QR codes to console.
https://scito.ch/content/extract-secret-keys-google-authenticator-qr-export
GNU General Public License v3.0
1.16k stars 138 forks source link

Broken key interpretation when NAME field has a space character #1

Closed bruindustin closed 3 years ago

bruindustin commented 3 years ago

The bug title pretty much explains it all. I played with this tool and it largely worked exactly as one would hope. All inputs successfully generated an output and a QR code, however, certain codes would not scan by GAuth. Upon studying the various permutations I realized it is the presence of space characters in the NAME field that seems to break the system. I replaced those on the upstream device with underscore characters and re-exported. Everything worked great that time.

I'm going to guess there's an improper chunk detector that's getting tricked by whitespace and thus breaking the secret.

scito commented 3 years ago

I could not reproduce the problem. Nevertheless, I've made a change. I quote the otp.name for printing the QR code. @bruindustin Can you check if the changed version works with spaces? If no, please reopen the issue.

bruindustin commented 3 years ago

Confirmed - that has fixed the issue on my test cases!

scito commented 3 years ago

@bruindustin Thanks for checking!