janvanderwalt / winauth Goto Github PK

[deleted issue]

the auto join doesnt work in windows authenticator, he lost some first digits 

This is actually a major flaw with the original Blizzard Java version as well 
(have not checked the iPhone version due to time constraints).  Since they 
decided to ignore the reasonable disclosure notice, I see fit to publicly 
disclose the vulnerability.

Description: 
https://docs.google.com/document/edit?id=1pf-YCgUnxR4duE8tr-xulE3rJ1Hw-Bm5aMk5tN
OGU3E&hl=en
Proof of concept: 
https://docs.google.com/document/edit?id=1pf-YCgUnxR4duE8tr-xulE3rJ1Hw-Bm5aMk5tN
OGU3E&hl=en

The proof of concept code will not work vs your C# application due to a 
different PRNG than java.util.Random, but since the algorithm they use is 
fairly easy to reproduce extending the code is trivial (Google yields "The 
current implementation of the Random class is based on Donald E. Knuth's 
subtractive random number generator algorithm." per MSDN).  I would recommend 
patching the vulnerability.

The trivial solution: Use System.Security.Cryptography.RNGCryptoServiceProvider 
instead of Random in Authenticator.CreateInitializationRandom()
Other things that you *should* do: Randomize the model number to armor the 
Initialization Request.

Best regards.

I fear I shall be bashed, but I ran both the mobile version as well as the 
desktop version version of your authenticator, and I find it odd that one 
cannot use both at the same time for one account, as it appears to be 
impossible to copy the settings from one to the other.

The mobile version can only import old Java settings, while the desktop version 
can't export to such a format. If all the information it provides (via the 
unencrypted XML file) are enough to create such a .db file for the mobile 
version, it is still unclear what kind of structure this file should have.

...please don't bash me -.- ...