Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Sep 2015 11:55:41 -0400
From: Justin Bull <>
Subject: CVE Request: TOTP Replay Attack in Ruby library "devise-two-factor"

Hello again,

I’d like to request a CVE ID for the following:

== Affected Software: ==

Devise-Two-Factor Authentication (
By Tinfoil Security (

Devise-two-factor is a minimalist extension to Devise which offers support for two-factor authentication, through the TOTP scheme.

This enables Ruby on Rails applications to have strong two-factor authentication in their auth/auth flow.

== Versions Affected: ==

All versions.

== Fixed Versions: ==


== Description of Vulnerability: ==

The library’s use of TOTP for Two-Factor Authentication is not fully compliant with Section 5.2 of RFC 6238[1] and does not “burn” a successfully validated OTP.

When the prover (end user) sends a valid OTP to the verifier (web app), the verifier must not accept subsequent submissions of the same OTP in that given time-step. That is, in order to maintain the “One-Time” aspect of a One-Time Password, it can be used once and only once.

== Impact / Attack: ==

Given an attacker already knows a victim’s credentials, they could "shoulder surf" the victim’s second factor device, obtaining the OTP, and login with the known credentials & OTP within the current time-step (a default 30 second window). This defeats two-factor authentication for the duration of the time-step.

Alternatively, an attacker could Man-in-The-Middle the connection between the prover and verifier, and replay the OTP & credentials within the given time-step. This however is not as much as a concern since, if an attacker can MITM the connection, they can just obtain the granted session secret from the response instead.

Although a narrow vulnerability, it remains a valid security issue that’s been explicitly called out in the RFC[1].

== Solution: ==

Use the library’s implicit access to a persistence layer to store “burned” OTPs, preventing multiple uses of an OTP in a given time-step.

Proposed fix pending vendor acceptance and release[2].

== Previously Requested: ==

Not to my knowledge.

== Acknowledgements: ==

Thanks to Viliam Holub ( for originally reporting the issue[3].
Thanks to Shane Wilton of Tinfoil Security ( for validating my suggested solution.

== References:==


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.