When inspecting the output of 2 step authentication API, I found out DA is using a deprecated google service to generate otp qr code via Google Image chart.
Example of the API output when we successfully generated the new KEY it has the following link:
The username , server and secret key is sent to the service and as you probably know it's not a good idea to use online service to send this sensitive data plus DA shouldn't use it anyway because it's deprecated since 2012: https://developers.google.com/chart/image/
Here is the comment and a proposed solution from this guy:
stackoverflow.com
I created a feature request here: https://feedback.directadmin.com/b/...t-use-google-service-for-generating-otp-code/
What do you think ?
Example of the API output when we successfully generated the new KEY it has the following link:
Code:
<img src='https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/admin%37%server%2Ezenpipe%2Ecom%3Fsecret%3D%32QOPIM%33QTJACRTPC%26issuer%3DDirectAdmin'><br>The username , server and secret key is sent to the service and as you probably know it's not a good idea to use online service to send this sensitive data plus DA shouldn't use it anyway because it's deprecated since 2012: https://developers.google.com/chart/image/
Here is the comment and a proposed solution from this guy:
How to generate a QR Code for Google Authenticator that correctly shows Issuer displayed above the OTP?
Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret. So, I'm aware of the documentation on this, foun...
stackoverflow.com
I created a feature request here: https://feedback.directadmin.com/b/...t-use-google-service-for-generating-otp-code/
What do you think ?
Last edited:
Don't worry google is secretly keeping the secret...
