Andy Franks created GUACAMOLE-1599: -------------------------------------- Summary: Storage of TOTP secrets unhashed Key: GUACAMOLE-1599 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1599 Project: Guacamole Issue Type: Bug Components: guacamole-auth-totp Affects Versions: 1.3.0 Environment: Ubuntu 20.04 Reporter: Andy Franks
Hi Successfully campaigned for the use of guacamole in the large public sector organisation I work at. A security-conscious colleague has noticed that apparently the TOTP codes for users are stored in the guacamole_user_attribute table in plain text - and presumably could be trivially copied to a TOTP utility and the codes generated. I pointed out that the user security part is salted and hashed, and you'd need both to log in, but the colleague is not appeased. Perhaps not a bug as such but possibly a spanner in the works of keeping the adoption of the software, which would be a big shame. Is there an official explanation (e.g. that it's simply not required as you'd need to get into the database first, the security is implicit there etc)? Or is it a future planned change? Thank you -- This message was sent by Atlassian Jira (v8.20.7#820007)