-
-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HackerOne TOTP is instead seen as password field #2332
Comments
I've a PR for solution 1. |
That looks like a good solution to me. I would say, a field that obscures the text (ie a password field) should definitely be weighted more towards a password detection though. False positive hits for TOTP on password fields might be worse then the current state noted on this issue. You can also use custom fields for the website to overcome some auto detection faults. Your change would need to be tested well on common sites to ensure no regression. |
I agree with you both @droidmonkey and @varjolintu that this should be seriously tested. <label data-v-0a2585d0="" data-v-779d6dc5="" class=""><span data-v-0a2585d0="" data-v-779d6dc5="">2-Factor Code:</span><input data-v-0a2585d0="" data-v-779d6dc5="" type="password" maxlength="12" class="form-control" autocomplete="off"></label> |
Geez and that one had a max length 12 too. So weird. |
Usually |
The current (far from ideal) HackerOne TOTP:
Of course they should use
autocomplete="one-time-code"
. However the/\btotp\b/
match in combination withmaxlength=6
, I think KeePassXC-browser should be enough hints to correctly detect TOTP here.Expected Behavior
Detect TOTP field.
Current Behavior
The field is detected as password field.
Possible Solution
is
true
, however because it's detected as apassword
field first, it seems the field is no longer detected asTOTP
:keepassxc-browser/keepassxc-browser/content/fields.js
Lines 23 to 33 in aa288ff
So I tried adding an explicit
!isAcceptedTOTPField
on line 23:password
was added as a negative check in TOTP icon improvements #786 because of my complaining in Improvement: No "Fill TOTP from KeePassXC" in postal/zip_code fields #768.This results in two solutions:
password
fromignoredTypes
plus changingignoreRegex
to/(bank|coupon|postal|user|zip)((?!(\b|_)totp(\b|_)).)*code|comment|author|error/i
(note:user.*code
is probably to strict for negative, in this case it isuser[totp_code]
but I can also imagineuser_mfa_code
etc.).allowRegex
with strong indicators, e.g./\b(totp|otp|2fa|mfa)\b/i
, in which case other soft checks are not performed (e.g.ignoredTypes
andignoreRegex
).Steps to Reproduce (for bugs)
Enable 2FA on https://hackerone.com/ and sign in.
Debug info
KeePassXC - 2.7.9
KeePassXC-Browser - 1.9.3
Operating system: Linux x86_64
Browser: Mozilla Firefox 131.0
The text was updated successfully, but these errors were encountered: