bug: Inaccurate imports from Aegis for accounts with names that happen to contain known brand names, and for different accounts with same secret key
elliotwutingfeng opened this issue · comments
Bug type
Error at runtime
App version
5.3.5
Device environment
Android 14, Google Pixel 7a
Bug description
The following examples are plaintext JSON exports from Aegis that lead to incomplete or erroneous results when imported into 2FAS. All data shown is mock data. Android app data has been cleared before importing each example JSON, with Google Drive backups disabled.
Example 1
{
"version": 1,
"header": {
"slots": null,
"params": null
},
"db": {
"version": 2,
"entries": [
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532001",
"name": "username@example.com",
"issuer": "GitLab",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532002",
"name": "1234567",
"issuer": "Steel Grain",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532003",
"name": "anonymous",
"issuer": "PyPI",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532004",
"name": "Tangent Ye",
"issuer": "Hellenic",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532005",
"name": "username@example.com",
"issuer": "Discord",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532006",
"name": "Power_ex.student@u.unitednations.edu",
"issuer": "Power",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532007",
"name": "johnsmith",
"issuer": "Docker",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532008",
"name": "smith",
"issuer": "GitHub",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532009",
"name": "superusername@example.me",
"issuer": "Example",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532010",
"name": "johnsmith",
"issuer": "npm",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532011",
"name": "username@example.com",
"issuer": "kernel.org",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
}
]
}
}When importing this file into 2FAS, application states that 11 Tokens will be imported. After tapping Proceed button, only one account entry appears in the list.
The values in this account entry are:
- Service Name: kernel.org
- Secret Key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- Additional Info: username@example.com
- Label: KE
Possible cause
There may be some pre-emptive de-duplication performed based on the Secret Key, which for the above input JSON, is the same for all 11 accounts.
Effects
While the probability of different accounts from different providers sharing the same Secret Key is small, it is a non-zero possibility, and can potentially mislead users into thinking all their accounts are successfully imported when it is not the case, as demonstrated in this example.
Example 2
{
"version": 1,
"header": {
"slots": null,
"params": null
},
"db": {
"version": 2,
"entries": [
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532001",
"name": "example@example.com",
"issuer": "Golf",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532002",
"name": "1111111",
"issuer": "Stanley Shock",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532003",
"name": "tingblast",
"issuer": "Quebec",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532004",
"name": "Special To",
"issuer": "Hotel",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532005",
"name": "tingblast@example.org",
"issuer": "Delta",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532006",
"name": "Meddle_ak.tingblast@example.com",
"issuer": "Charlie",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532007",
"name": "tingblast",
"issuer": "Echo",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532008",
"name": "tingblast",
"issuer": "November",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532009",
"name": "tingblast@example.gov",
"issuer": "Papa",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532010",
"name": "tingblast",
"issuer": "linux",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532011",
"name": "tingblast@example.org",
"issuer": "python.org",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532012",
"name": "Papa6",
"issuer": "India",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532013",
"name": "blockthisline",
"issuer": "Romeo",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "20202020202020202020202020202020",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532014",
"name": "wallet.alpha@example.net",
"issuer": "Gmail",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "11111111111111111111111111111111",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532015",
"name": "wallet.beta@example.net",
"issuer": "Gmail",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "22222222222222222222222222222222",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532016",
"name": "wallet.charlie@example.net",
"issuer": "Gmail",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "33333333333333333333333333333333",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532017",
"name": "wallet.delta@example.net",
"issuer": "Bravo",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "44444444444444444444444444444444",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532018",
"name": "wallet.gamma@example.net",
"issuer": "Delta",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "55555555555555555555555555555555",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532019",
"name": "wallet.omega@example.net",
"issuer": "Bravo",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "66666666666666666666666666666666",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532020",
"name": "tingblast",
"issuer": "xenon",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "77777777777777777777777777777777",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532021",
"name": "tingblast@example.org",
"issuer": "Mike",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "88888888888888888888888888888888",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532022",
"name": "admin@example.gov",
"issuer": "Tango",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "99999999999999999999999999999999",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532023",
"name": "tingblast@example.org",
"issuer": "Kilo",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532024",
"name": "tingblast@example.org",
"issuer": "Alpha MFA",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532025",
"name": "tingblast@example.org",
"issuer": "Hotel",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "C2C2C2C2C2C2C2C2C2C2C2C2C2C2C2C2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532026",
"name": "Apple555",
"issuer": "Oscar",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532027",
"name": "tingblast@example.org",
"issuer": "Sierra",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532028",
"name": "wallet@example.fr",
"issuer": "Sierra",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2",
"algo": "SHA1",
"digits": 6,
"period": 30
}
},
{
"type": "totp",
"uuid": "a57dc3cf-ffff-8888-111d-3ac115532029",
"name": "tingblast@example.org",
"issuer": "Lima",
"note": "",
"favorite": false,
"icon": null,
"info": {
"secret": "10101010101010101010101010101010",
"algo": "SHA1",
"digits": 6,
"period": 30
}
}
]
}
}When importing this file into 2FAS, application states that 25 out of 29 Tokens will be imported. After tapping Proceed button, the following can be observed:
-
4 tokens cannot be imported despite all accounts having unique combinations of
name+issuer, and allsecretare unique. -
All accounts with the substring ting in
namehave their issuer overwritten with Ting, which corresponds to this brand; the icon for this brand shows up in the entry. For example, this entry has its issuer imported as Ting, and name as tingblast. The real issuer November, cannot be found in any of the fields when editing the entry. But if you type November in the search bar, this entry shows up as the only result.{ "type": "totp", "uuid": "a57dc3cf-ffff-8888-111d-3ac115532008", "name": "tingblast", "issuer": "November", "note": "", "favorite": false, "icon": null, "info": { "secret": "B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1", "algo": "SHA1", "digits": 6, "period": 30 } }, -
Similar situation for this entry, where its label gets replaced with Apple (the iPhone company), but if you type in Oscar into the search bar, it shows up as the sole search result.
{ "type": "totp", "uuid": "a57dc3cf-ffff-8888-111d-3ac115532026", "name": "Apple555", "issuer": "Oscar", "note": "", "favorite": false, "icon": null, "info": { "secret": "D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2", "algo": "SHA1", "digits": 6, "period": 30 } },
Possible cause
Possibly using the name field to determine the issuer, which can lead to mix-ups like this.
Effects
Data loss for Aegis users migrating to 2FAS. Imports from other authenticator brands should also be investigated for similar issues.
Solution
Fuzz testing to ensure that data integrity when importing from other authenticators.
Additional context
No response
Acknowledgements
- This issue is not a duplicate of an existing bug report.
- I understand that security vulnerabilities should be reported to security@2fas.com instead of on GitHub.
- I have chosen an appropriate title.
- All requested information has been provided properly.
Any updates on this?