GoogleAuthenticator icon indicating copy to clipboard operation
GoogleAuthenticator copied to clipboard
verified publisher icon PHPGangsta

Information Security violation by using google charts

Open friedrichroell opened this issue 6 years ago • 3 comments

As mentioned by kravietz on Stackoverflow https://stackoverflow.com/a/56737468/1171107

[...] Theusage of Google Charts are absolutely terrible from information security point of view. That's essentially sharing the TOTP secret as well as your username ([email protected]) and issuer (Example) with a third-party company with no legal obligation to keep them secret, and doing that over a GET request! Doing so you violate not only every single assumption underlying multi-factor authentication but also most likely your organisation's information security policy. It nullifies any value added by MFA since the only factor that protects you from compromising your account in case of password breach is itself breached.

friedrichroell avatar Aug 28 '19 08:08 friedrichroell

It doesn't uses google charts to generate QR code. It used different API for that

FaizanF59 avatar Sep 09 '19 12:09 FaizanF59

It is using "https://api.qrserver.com/v1/create-qr-code" to generate the QR code for now. To avoid security violation issue, you can use javascript library "https://github.com/davidshimjs/qrcodejs" to generate QR code in client side.

biechao avatar Dec 03 '19 05:12 biechao

OR: https://larsjung.de/kjua/

Friends4U avatar Oct 04 '20 19:10 Friends4U