Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 Jun 2015 17:12:27 -0400
From: Justin Bull <>
Subject: CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" 


Please excuse me if I’m doing this incorrectly, this is my first time attempting to acquire a CVE ID for a discovered vulnerability.

NOTE: I have already sent a similar email to MITRE requesting a CVE ID, but been advised to submit here as well (then cancel the request to MITRE, since those poor folks deal with thousands of requests).

== Affected Software: ==

The Ruby One Time Password Library (

A ruby library for generating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238.

ROTP is compatible with the Google Authenticator available for Android and iPhone.

== Type of Attack: ==

- Man in The Middle
- Shoulder Surfing

== Versions affected: ==

All versions.

== Description of Vulnerability: ==

The TOTP feature of the software is not fully compliant with Section 5.2 of RFC 6238[1] and does not “burn” a successfully validated OTP.

When the provider sends a valid OTP to the verifier, the verify must not accept subsequent submissions of the same OTP in that given time step. That is, in order to maintain the “One-Time” aspect of a One-Time Password, it can be used once and only once.

== Impact / Attack: ==

In a two-factor authentication context, an attacker could Man-in-The-Middle the connection between the verifier and provider, obtain the username, password, & OTP values, and log in with the credentials within the current time step (a 30 second window, if defaults are used). Arguably, this defeats the two-factor authentication since the OTP can be replayed multiple times.

Alternatively, an attacker could “shoulder surf” the victim’s second factor device in lieu of compromising the connection.

This information has been captured in the bug report to the maintainer of ROTP[2].

== Solution: ==

None yet, the fix[3] is not merged into codebase and not released.

== Acknowledgements: ==

Thanks to Viliam Holub ( for originally tipping me off to the RFC non-compliance in software that utilizes the ROTP library[4].

== References:==


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.