Comments (10)
Thanks @someoneEsle. For the record, they say
Hi, A new code is generated if fails 5 times, or if sent to a new phone number.
but I don't see the reason for this and seems a bad idea to me. It's easy to peek into one's past SMS messages, read the activation code and re-register with the same phone number on another device. Moreover, phone companies can (and do) log SMS messages, so an easy way to hijack a Wire account is available to whoever has access to those logs.
from wire-server.
Just so you know, they're aware of it: https://twitter.com/gillo/status/709313322672398336
from wire-server.
True, I'm pretty sure they're aware of the implications and it's a matter of time before they fix it. By the way you get an email and a notification every time someone registers a new device, but your point still makes sense.
from wire-server.
Is this issue still relevant?
from wire-server.
Hi everyone,
thanks for contributing to the conversation. The SMS code is not generated by the Android application but by the wire server application. Moving this issue there.
from wire-server.
Heyo, this is working as intended (which of course doesn't mean that it's correct :-).
Off the top of my head (I only remember we discussed this internally, but I'm hazy about the details): the code is only re-used if you use the same email / phone number within the life time of the old code. If you would get a different code each time you ask, the following could happen: user requests code, waits for email, requests code again, first email arrives, user uses first code, but second code is expected.
I guess you could fix that by accepting both codes for a while. But why? Since you are saying it's obvious: what is the attack scenario here?
from wire-server.
Sounds to me like it is a fairly good trade between security and accessibility to me. I’ve wrestled with SMS tokens and have come to a similar conclusion based on the population of users. Wire users could be more sophisticated, necessitating moving the slider more towards security.
from wire-server.
Current TTL on codes is 24 hours. So this only happens if you register, delete, and register again, all within 24 hours.
Deleting your account and re-registering using the same phone number will still create a fresh account. Any previous devices, connections and conversations you had are no longer available on that new account.
There is actually one very slight improvement we could make here (helping to avoid confusion leading to issues like this one): actively remove the codes on user deletion. Currently, we don't actively remove the code but wait for the TTL to expire (which takes 24h from the time of the first initial registration - so this is an edge case for users who very shortly delete their accounts after having created them).
from wire-server.
@fisx isn't it possible that, for instance, Alice registers, receives the code C, Bob peeks the code (either on the Alice's device or being employed in Alice's TSP) and send "forgot password" request using the C in these 24 hours?
Indeed, re-using the codes improve user experience a little bit, but only for certain scenarios of impatient users. I think, these days most people are used to verification email and realize that only last one usually works. Also, the possibility to confuse codes could be eliminated by attaching labels to the code: when a user requests a verification code, we display label L and send (C, L) to the user. If the user requests verification again, we display label L' and send (C',L'). Now, the user can't confuse and pass the code C because labels L and L' don't match. This way it is implemented in several banking apps I used.
from wire-server.
@kirillt , my apologies for the delayed nature of our response. As SMS security has continued to be an issue in general across the industry, Wire has decided to no longer use SMS codes for login, or to allow the use of phone numbers for login. This has been removed in many of our clients already.
Unless you have any further questions, we will close this issue.
Thank you for using Wire!
from wire-server.
Related Issues (20)
- digital currency HOT 1
- Compiling proteus v1.0.3 Mac os big sur HOT 3
- Password hashing / authentication mechanism HOT 4
- Error in building docker images HOT 2
- Adding external SMTP Service
- Cannot Build docker-intermediate HOT 4
- Are there a kind of admin console of this project? HOT 1
- Video Size Limit
- Performance Requirement HOT 3
- Voice Call is not working
- Warning when building docs HOT 4
- nginz: Keep /usr/include/zauth.h compatible with other projects
- Pull Request Preview Environments for increasing maintainer productivity HOT 1
- Could you see all your messages from all your clients ? HOT 1
- Configuration to allow any host (Access-Control-Allow-Origin: host) HOT 1
- WS connections refused with 1006, even though token is correct HOT 2
- Issue when running "direnv allow" on fresh git clone of repo. HOT 1
- Building wire-server locally HOT 4
- wire-server locally build
- v1/conversations/list/v2 The V1 API returnes the data structure with new access_role logical
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wire-server.