Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Sep 2015 11:55:41 -0400
From: Justin Bull <>
Subject: CVE Request: TOTP Replay Attack in Ruby library "devise-two-factor"

Hello again,

I’d like to request a CVE ID for the following:

== Affected Software: ==

Devise-Two-Factor Authentication (
By Tinfoil Security (

Devise-two-factor is a minimalist extension to Devise which offers support for two-factor authentication, through the TOTP scheme.

This enables Ruby on Rails applications to have strong two-factor authentication in their auth/auth flow.

== Versions Affected: ==

All versions.

== Fixed Versions: ==


== Description of Vulnerability: ==

The library’s use of TOTP for Two-Factor Authentication is not fully compliant with Section 5.2 of RFC 6238[1] and does not “burn” a successfully validated OTP.

When the prover (end user) sends a valid OTP to the verifier (web app), the verifier must not accept subsequent submissions of the same OTP in that given time-step. That is, in order to maintain the “One-Time” aspect of a One-Time Password, it can be used once and only once.

== Impact / Attack: ==

Given an attacker already knows a victim’s credentials, they could "shoulder surf" the victim’s second factor device, obtaining the OTP, and login with the known credentials & OTP within the current time-step (a default 30 second window). This defeats two-factor authentication for the duration of the time-step.

Alternatively, an attacker could Man-in-The-Middle the connection between the prover and verifier, and replay the OTP & credentials within the given time-step. This however is not as much as a concern since, if an attacker can MITM the connection, they can just obtain the granted session secret from the response instead.

Although a narrow vulnerability, it remains a valid security issue that’s been explicitly called out in the RFC[1].

== Solution: ==

Use the library’s implicit access to a persistence layer to store “burned” OTPs, preventing multiple uses of an OTP in a given time-step.

Proposed fix pending vendor acceptance and release[2].

== Previously Requested: ==

Not to my knowledge.

== Acknowledgements: ==

Thanks to Viliam Holub ( for originally reporting the issue[3].
Thanks to Shane Wilton of Tinfoil Security ( for validating my suggested solution.

== References:==


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ