Security Alert: Susceptible to MITM Attacks

[arleslie]

In the documentation it suggests using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    $user->email,
    $user->google2fa_secret
);

This generates a URL to Google Charts.
Using this URL creates a GET request which allows all of the information to sniffed.

Using:

$google2fa_url = Google2FA::getQRCodeGoogleUrl(
    'YourCompany',
    'email',
    'OhHeyThe2faSecret'
);

Returns: https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the &chl= part you get: otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany

The QR code should be generated server side rather than being passed to a 3rd Party.

[arleslie]

It should be recommended to use Google2FA::getQRCodeInline().

[arleslie]

Per a little bit more research it appears GET requests are protected with SSL.
My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)

[GrahamCampbell]

Yeh, SSL means the whole request in encrypted.

[GrahamCampbell]

The URI is part of that.