Kasbah: please remove the popup option from the extension so we can remove jquery.

Thanks!

Built from 198d944, first credential seems to have worked, but additional credentials do the following:

• Enter credentials in browser, click login
• Click Update credentials in MP popup
• Confirm add new user on MP
• [MP returns to main menu, browser continues log in]
• Return to login page, choose new credential on MP
• [MP fills in correct username, wrong password (should have been 1 character, appears to be several characters, possibly the password from original credentials)]

If you have a site with multiple distinct sites that only differ in port number, the mooltipass currently tries to apply the credentials it knows for the base address (minus port number).
for instance: http://example.com/site1 might be different from https://example.com:12345/site2, but the mooltipass currently only stores based on 'example.com'

Tried accessing to random pages (http://karman.ath.cx/web/users, gmail.com, logmein.com).

If credentials are ok and you do all the process to update them in MP, the login is performed properly.

If instead choosing to update MP, SKIP is chosen, the popup disappears and the login is not performed even if written credentials are correct.

Mac OS X 10.9.3, Chrome Versión 38.0.2121.3 dev (64-bit), MP Plugin v0.4, MP Client v0.3

1. Go to Google
2. Search for "swedish personal number generator" and use the first result.
3. Go to https://internetbank.swedbank.se/bviPrivat/privat?ns=1
4. Enter the personal number as YYYYMMDDXXXX where XXXX are the 4 numbers you got from the generator.
5. Select "Personlig kod" from the dropdown list.
6. Click "Fortsätt" (I don't know if the fake personal number will be accepted)
7. If you get so far, try a random password and "Fortsätt".

You will see that mooltipass will not let you login if you have the popup window activated. Neither "Skip" nor "Never for this site" work.

(Built from 639156c)

When incrementing from digit '5' to '6', a small artifact appears to the left of '6', continues on '6' to '7' and is cleared upon reaching '8'. The glitch is not visible when going from '8' to '7' to '6'. Additionally, the glitch only appears on the 1st and 3rd pin code digits. Advancing to the next digit ('6' -> '' or '7' -> '') also clears the glitch.

See attached images:

I have a small php webpage for testing purposes at http://karman.ath.cx/web/users/index.php

I created two new users: test:test and test2:test2 (user:pass), then logged out.

After add them, I try to login for the first time with test:test. The popup ask me to update mooltipass or skip so I click update and follow the mooltipass onscreen instructions to add the user and pass. On logout the mooltipass asks me if login with saved credentials and works fine.

Then I try to login with test2:test2, I'm asked to add the new test2 user and upon accepting, the mooltipass hangs. Mooltipass keeps the right led off and does not respond to any touching. Doesn't respond either when trying to login to same or other pages. Connection is not shown as lost in the Mooltipass tab in the app until you manually disconnect it from USB to force a restart.

After restart I tried to login in the same page. Mooltipass shows me to select between 4 users, all the same user test:

All the 4 users 'test' have been tested to work properly in the web page. However user test2 doesn't appear. Trying to add again the same 'test2' user hangs again the mooltipass.

I've kept both users in http://karman.ath.cx/web/users/index.php so anyone can test and replicate the results.

Some kind of reproducible identifier should be present in the firmware, perhaps accessible via the GUI. I would suggest:

• If built from git, use git describe
• If built from release (I know, we don't have one yet), use version.h or something that is committed with source

For even more "interesting" suggestions, take a look at the linux kernel's method for determining versions/hashes: https://github.com/torvalds/linux/blob/master/scripts/setlocalversion

When the extension is installed no notification method is chosen by default.

(from Josh watts)

Linux (Ubuntu 12.04), Chrome unstable

"I got things to move a bit further along by reloading the 2 chrome extensions. I think the MP client extension had lost contact with the MP. Once restarted I started getting notices about being on hackaday.io, and the update credentials seem to have worked. Now I'm stuck at entering the credentials: I get the message to allow credentials for the site, but clicking accept doesn't produce any change in the browser, and clicking sign in gives me the same dialog with "update credentials" and "skip".

"mpClient is null at that line:

// Messages from the content script
chrome.runtime.onMessage.addListener(function(request, sender, sendResponse)
{
console.log(sender.tab ? 'from a content script:' + sender.tab.url : 'from the extension');

if (sender.tab) 
{
    console.log('back: cont req '+JSON.stringify(request));
    // from content script
    switch (request.type) 
    {
        case 'inputs':
            contentAddr = sender.tab.id;
            console.log('inputs:');
            for (var i=0; i<request.inputs.length; i++) 
            {
                console.log('    "'+request.inputs[i].id);
            }
            sendResponse({type: 'ack'});  // ack
            console.log('sending to '+mpClient.id);
            chrome.runtime.sendMessage(mpClient.id, request);
            break;
        case 'update':
            chrome.runtime.sendMessage(mpClient.id, request); // <-- Error occurs here, line 103. mpClient is null
            break;
        default:
            break;
    }
} "

The problem might be with how chrome already has the user/pass filled in?"

Detailed info:
View details

content: creating dialog div
View details

checking submitted credentials
View details

check: creds
View details

changeCheck: cred email
View details

changeCheck: cred password
View details

content: update dialog
View details

content: after update dialog
View details

from a content script:http://hackaday.io/signin?returnUrl=%2F
View details

back: cont req {"type":"update","url":"http://hackaday.io/signin?returnUrl=%2F","inputs":[{"name":"email","type":"email","value":"[email protected]"},{"name":"password","type":"password","value":"pplcmcia"}]}
View details

Error in event handler for runtime.onMessage: Cannot read property 'id' of null Stack trace: TypeError: Cannot read property 'id' of null
View details

The device or the plugin cannot handle URLs with dash. Maybe also other special characters.

Example: http://www.open-electronics.org/

When you open up the chromeIPass page by clicking on the logo, and the page is seen as a browser tab, but NOT active, the favicon.ico file used is the hackaday logo...

It shouldn't be hard to add a password length option on the settings screen.

Chrome app sometimes ignores the credential selection in MP or doesn't know that is in a site where already holds credentials.

Recorded a video in: https://www.youtube.com/watch?v=6vJKnfL7_HU

Can be tested at http://karman.ath.cx/web/users/index.php with test:test and test2:test2

NOTE: Please ignore the fact that mooltipass sometimes does random button push, is been already reported in bug #82.

I have a few sites I need to log into that use 401 Auth popups to log in (such as corporate email). It would be great if we could handle those as well with the mooltipass.
(Thanks to Josh for finding the link, it looks like it might be possible to handle http auth popups with chrome): http://stackoverflow.com/questions/3902411/avoid-http-auth-popup-in-a-chrome-extension-digest

I have a recurring issue that I discovered. The MP seems to not wake up any more when the extension prompts to save new credentials. Waking up manually (by finger presses) does not result in the MP saving new credentials from the extension, but disconnecting USB and re-connecting then unlocking card does.

I have recently uninstalled and rebooted and re-installed the application and extension to ensure no glitches.

Setup and problem:

• The MP has gone to sleep (screen is off).
• MP app shows a cyan logo (connection ok?) and no error messages.
• When visiting a site and entering new credentials, MP extension correctly asks if I would like to add the credentials to the Mooltipass. I agree.
• No response on the MP. Touching the screen wakes it up but no prompt for saving or modifying any credentials.

Solution:

• Unplug MP, plug back in.
• Enter PIN, get "Card unlocked" message. MP app says "device status: unlocked".
• MP prompts to save credentials from earlier (the extension buffered it apparently)

Re-creation:

• Allow MP to go to sleep (screen off)
• Attempt to enter credentials somewhere so MP extension asks to save them

MP App version 0.10.0
MP Extention version 0.2.0
Windows 7, 64 bit

Well the title says everything. Maybe the touch panel is too sensitive.

Could you confirm harlequin?

Any documentation for the protocol, or import/export that the app does? Not that it's not fun to try to figure it all out looking at the source, but it's also nice to know for sure. (In particular - I want to write something to slurp up my keepass2 database and inject it into the mooltipass...)

Ok, so my mooltipass came today, after all the delays with shipping and email overload I was already pretty frustrated but was prepared to wipe the slate clean and give it a go.

But the frustrations of this project are overwhelming:

• You've sent 45 update emails and another 10 order emails. One even included a link to a python script you had used to try and fix something. I mean seriously WFT?
• The pin code entry system is a massive pain to use, entering a password is hard, so it's slow, so anyone could read it over my shoulder.
• The app doesn't work with Linux out of the box and itself offers no indication of how to fix it. How hard would this be?
• The faq section on fixing this issue on the website is infuriating:
  • it closed every time I tried to click on the text to select it
  • The code isn't formatted as code, so it's not clear
  • Do you really think most Linux users know off the top of their head how to create a udev rule?
  • a link to a 10 line gist with instructions on how to fix this would have been very useful. How hard would this be?
• You seem to have lots of different projects inside the same git repo on github, multiple repos are free, much safer to use and much clearer for anyone browsing for information. Given that this is supposed to be a sustainable project not linked to one person's whims it seems very concerning that the one massive mess project is under a user's account not an organisation.How hard would this be?
• I sent 15 minutes try to use the mooltipass (and by the way it's a stupid name) to login to facebook (you've heard of it I assume? you sure as fuck haven't got proper unit tests interfacing with it). Having entered my password into numerous insecure places and go nowhere I abandoned the effort.
• I then create a new user on github with a new password I didn't care about and tried to use the mooltipass to login.
  • It took me 15 minutes of messing around to get it to actually login.
  • Even once I got it working the thing kept asking to enter my credentials into the github anonymous landing page and the github authenticated landing page.
  • The "generate random password" feature doesn't seem to work at all
• So the UX of your thing with both the second most used website in the world and with the management system you use is beyond awful. I mean seriously WFT?

In short if you apply the same level of intelligence to safe guarding my passwords as you have to the rest of this project I must assume my facebook password will already be on safe on 50 different sites.

I've had this happen a couple of times now. Both times I was using 2 tabs, but I don't know for sure if that is really related. The 2nd time this occurred I was paying more attention. I created my credentials for atlassian.com and logged in/out several times. Then I created credentials for cafepress.com and logged in/out. The I opened a new tab and went back to atlassian.com, where Mooltiplass prompted me to use my cafepress credentials. Going back to my gmail account I am also prompted to use my cafepress credentials rather than my gmail.

Then after entering the wrong email account on hackaday projects and then trying to use the correct email, I find MP offers 4 users for hackaday projects all the incorrect first email. Then going back to cafepress, MP offers me my 4 incorrect hackaday users.

MP Extension: 0.2.0
MP App: 0.13.0
Firmware: I can't remember where to find this, but pretty sure it's the one before RC3.2 because I haven't applied RC3.2 yet. Sorry I can't be clearer.

Problem:
Stored credentials on MP for site, but conflicting behaviour concerning whether credentials exist or not. Cannot use LOGIN on MP for the site in question (to have MP send credentials manually).

While repeating the problem my MP reset back to the splash screen and locked.

Setup:
I recently created a new account (for Blizzard's Battle.net) and entered my credentials at the web page. https://us.battle.net/login/en/. I was interrupted before hitting LOGIN on the web page. I returned some time later and clicked LOGIN (the fields were already filled with my email and password which I typed earlier.)

The web site said the session had timed out, but the Chrome extension still asked if I wanted to save the credentials. I did. The MP appeared to act normally (e.g. asking for confirmation) at this point but I didn't take special notice of anything other than at least one confirmation dialog happened (there should have been more than one for a new site but I can't be sure if there was or wasn't)

App Log:

> requesting to write credentials for battle.net
> adding new service: battle.net

I tried to log in again by refreshing the login page but the MP doesn't seem to recognize having the credentials. App Log:

> requesting credentials for battle.net
access denied or no credentials

Trying to use LOGIN on the MP does the following strange behaviour, which is repeatable:

1. Touch LOGIN on MP
2. Scroll to 'battle.net' (2nd page, top left), touch to select
3. MP returns to home screen
4. Touch LOGIN on MP again
5. Scroll to 'battle.net' (2nd page, top left), touch to select
6. MP asks to send credential for 'canadapost.ca' (3rd page, top left) instead

If a short delay (5 seconds?) is between steps 3 and 4 then the 'wrong' credential will not get sent, the MP just goes back to home (skips # 6). If selecting the 'battle.net' credential again is done within a few moments, the 'wrong' credential (canadapost.ca) is done.

After repeating this process a few times investigating the timing, my MP reset to the splash screen and was locked.

Background: using http://karman.ath.cx/web/users/index.php with users test:test and tes2:test2.

Having saved multiple users (< 4), if you choose an empty slot to login, the login is made with the first credential avaiable and when you log out (corner button), the mooltipass logins you again with the same user as before.

Hi could I use your device with an OpenPGP Smart Card? Does it work with all regular smart cards? How do I enter the PIN? Is there an onscreen keyboard or can the keyboard be plugged directly into the device so my PC never has my actual pin?

Got my Mooltipass over the weekend and started trying to use it today. I tried using the Chrome app to load existing passwords onto it, but it appears to have truncated one of them to 31 characters:

I don't know which one it was because I was loading several passwords in a row and only noticed the truncation at all because I switched back to the logging tab at one point.

Two questions:

• Can the Mooltipass store passwords longer than 31 characters? (Word-based generation systems such as the xkcd method or Diceware can exceed this length rather easily.)
• If not, can either the app or the device itself alert the user that their password is being truncated (i.e., corrupted!) and will not be the same as what originally was entered?

I found several scenarios in wich app hangs and stops working properly when running test.

The only way to make it work again is to reset the app by disabling it and reenabling it again in chrome extensions menu, making it hard to reset if someone doesn't know it.

I don't think it is related, but I migrated all decryption functions to decryptTempCNodePasswordAndClearCTVFlag(buffer).
I'm now manually printing the password after the call >> usbPutstr(temp_buffer); and have the correct password
However, the chrome extension lets me know: get password, no value found for password

Wondering if this has something to do with the recent chrome update?

Instead of having to grab the cellphone, get the Google Auth app (or similar) and typing in the number from there, what about HOTP support in mooltipass?

Same checks apply:

• plug in mooltipass
• user puts smartcard in
• types in PIN to unlock
• browser plugin hints about HOTP, or one selects HOTP from OLED screen
• select the correct HOTP key (browser plugin could help)
• current HOTP key + time left is shown, just hit 'yes' or 'no' to send authcode over the keyboard interface
• presto

This does mean that the mooltipass requires a RTC though, or at least correct time, which it might receive through USB from the host computer. (if time is off then HOTP does not work).

To help prevent accidentally triggering the card's built brute-force block, we should limit the number of PIN entry attempts to 3 (read the card's counter to determine how many so far), and provide a hard(er) to reach mechanism to allow the user to make the 4th and final attempt.

on reddit.com:

plugin:
connected: Mooltipass version "unknown"
event.js:10 onMessage(get_settings) for #117
event.js:10 onMessage(retrieve_credentials) for #117
mooltipass.js:200 mp.associate() already connected
page.js:107 mp.retrieveCredentials(callback, 117, http://www.reddit.com, https://www.reddit.com/post/login, {4})
mooltipass.js:242 sending to maemandldfnggcdaohmbfjogomnkiiil
mooltipass.js:69 back: app req cardPresent
mooltipass.js:69 back: app req noCredentials
event.js:10 onMessage(update_notify) for #117
event.js:246 notification created for mpUpdate.1
event.js:194 notification mpUpdate.1 button 0 clicked
event.js:197 notification update qdqsdq on http://www.reddit.com/
mooltipass.js:200 mp.associate() already connected
mooltipass.js:162 mp.updateCredentials(}) 117 0 qdqsdq http://www.reddit.com/
mooltipass.js:183 sending update to maemandldfnggcdaohmbfjogomnkiiil
mooltipass.js:69 back: app req cardPresent

prompt:
"add credentials for http:///www.reddit.com on mooltipass?"

app:
Found 1 devices.
mooltipass.js:1335 Device 4 vendor5840 product 2464
mooltipass.js:1339 Connecting to device 4
mooltipass.js:856 received request inputs
mooltipass.js:499 URL: https://www.reddit.com/post/login
mooltipass.js:502 keys: ["password","login"]
mooltipass.js:514 context: www.
mooltipass.js:1021 Failed to set context "www."
mooltipass.js:1038 Failed to set up context "www."
mooltipass.js:465 clear authreq timeout
mooltipass.js:856 received request update
mooltipass.js:540 auth context: www.
mooltipass.js:1021 Failed to set context "www."
mooltipass.js:465 clear authreq timeout

mooltipass:
"confirm new credentials for www."

In manual login menu, domains are classified alphabetically, but from the first subdomain and not the main.
For example www.anywebsite.com, will be available in "w" and should be available in "a" because the main domain is "anywebsite".
If the sorting was from "main domain", this woul dbe much more convenient.

Presuming that the user knows the PIN for the card, they should be given the option to create a new user using the card anyways, or the choice to erase the card. Unless modify myself a custom firmware, I have no way to recover this card (thankfully it's not blocked, though it took some low level modification to be sure of that w/o blocking the card).

Was quite surprised to get a MP popup logging into a new site. The same goes for running the MP extension in a version of chrome that doesn't support HID: I use the same chrome account in both chrome-stable and chrome-unstable, so it automagically installed the MP extensions in both.

When testing with MP 0.4 I went to check what version of Chrome on Win 7 64-bit I was running using the About Chrome tab. Chrome detected that it needed an update and I told it to go ahead and then, when the download was done, to restart Chrome.

When Chrome restarted, a second copy of the MP Client appeared. Not a big deal, of course, but a little odd.

When quickly cycling through CAPS Lock (CAPS ON instantly followed by CAPS off) the device will wake up (OLED and LEDs turn on).

This will happen only when the device is unlocked and the screen/touchpad has gone dark. Chrome and the MP Client can be closed and this will still happen.

Chrome: 38.0.2125.0 dev-m (64-bit)
MP Client: 0.3
MP Plugin: 0.4
MP FW: 0.1
OS: Windows 8.1 Pro 64-bit

I could create automated functional tests if there was a way to control MP from the command line.

The title says it all...

On the fw side, I have the confirmation that for example "a" is sent via the debug in CMD_GET_LOGIN

            // Use the buffer to store the login...
            usbSendMessage(CMD_GET_LOGIN, strlen((char*)incomingData), incomingData);
            USBPARSERDEBUGPRINTF_P(PSTR("get login: \"%s\"\n"),(char *)incomingData);

on the plugin:
set context: "limpkin.fr" ok
get login: "a"

I can replicate this issue but sometimes need to try more than once to make it happen.

Setup to replicate the issue as I experienced it:

• MP has two credentials for a single website (in my case, webmail.showthegrow.com)
• Go to website to log in (e.g. http://webmail.showthegrow.com)
• MP prompts for one or the other credential to log in with
• Give MP a clockwise "dialing" input with finger as if using the jog-dial interface. Uncertain whether it depends on duration of 'dial' or starting point.
• MP immediately scrolls up the bootup logo and remains that way.
• (If MP is unplugged here, the App becomes unresponsive.)
• (If MP is left plugged in then the MP will eventually prompt for PIN and things will sort themselves out.)
• App icon is purple, log appended:

  > requesting credentials for showthegrow.com
  access denied or no credentials
  device status: locked

• MP goes to "Enter your PIN"
• App is responsive again, recognizes unlock of MP
• App Icon is cyan

Everything seems normal at this point.

Windows 7 x64
MP App version 0.10.2
Extension version 0.2.0
Firmware: 0.7

On a router with http auth to access its configuration settings the "pop up" never appears when the extension is enabled.

There are no build instructions.

To support non-ASCII characters like "éàïô", the string functions in OLEDMP will need to handle a subset of the UTF-8 encoded characters and map them onto the 8-bit character range 128-255.

The string "éàïô" is encoded as { 0xc3, 0xa9, 0xc3, 0xa0, 0xc3, 0xaf, 0xc3, 0xb4 }.

Take a look at the attached screenshot. What you're looking at is my instance of Microsoft Team Foundation Server's web interface. We use it for my company's internal task tracking/resource management.

See the "Cancel" button?

Is it possible that the Mooltipass chrome app CSS is overwriting normal page styles?

If I disable the Mooltipass Plugin and the Mooltipass Client, TFS goes back to normal.

I search the repo's code for "Allow Mooltipass" so I can see what the string being cut off is

but couldn't find it :/

Attempting to export flash/eeprom always reports success even if the device did not allow export. (It also writes zero-byte files to disk).

I have this test page to test multiple users and MP: http://karman.ath.cx/web/users/index.php

Some test users: test:test, test2:test2

Once you added one or more to your mooltipass you should be able to login in the webpage without problems.

When the webpage reloads logged in, the mooltipass ask you again if you want to log in in karman.ath.cx even given that you just successfully logged in.

Maybe is triggered with a hidden password field that serves to change the current logged user's password, or maybe it has something to do with the login and logged in pages, that are the same index.php

I tried to export flash and eeprom, wipe the MP and the import both flash and eeprom. Import works fine, but I got 'denied' message even when the importing was correct. This is what I did:

I imported flash, accepted importing in MP and waited until finished. Worked perfectly.

Imported eeprom and skiped the confirmation in MP, I got the 'denied' message. Tried again to import, accepted in MP, waited until progress bar finished then got 'denied' message again.

I confirmed that MP worked properly with saved credentials so I can confirm that MP imported both flash and eeprom properly despite the 'denied' message.

Mac OS X 10.9.3, Chrome Versión 38.0.2121.3 dev (64-bit), MP Plugin v0.4, MP Client v0.3

When login with a new user/password and the web that loads has a password field, MP tries to login again and waits for user input or timeout. In this moment if the user clicks 'yes' in the MP chrome app the MP ignores the request to add the new user/password.

This can be tested at http://karman.ath.cx/web/users/index.php with multiple users: admin/m00lt1p4ss, user2/pass2, user5/pass5.

Example: kickstarter...

If it's too hard to be compatible, should we have the extension open by default the new credential set "popup"?