• Security
10 MIN READ

IT-Boost TOTP Secret Exposure

Recently, we discovered a security issue with how IT-Boost handles TOTP secrets.

IT-Boost can calculate OTP codes, making it ideal for sharing credentials within a team. When a user loses access to IT-Boost, they also lose access to the credentials and TOTP generator. However, we found that TOTP secrets may not be as secure as assumed since the codes are calculated in the browser instead of on a backend server.

TOTP Secret exposure risks

  1. Extraction of TOTP Secrets: Users can extract TOTP Secrets and install a new TOTP generator on another device. This vulnerability is particularly concerning when an employee leaves the company, potentially retaining access to sensitive accounts.
  2. Compromised Devices: Malware and Remote Access Trojan (RAT) kits can be used by threat actors to record usernames, passwords, and TOTP Secrets. This can lead to a massive security breach, affecting numerous services and customers.

Best Practices for TOTP Code Generation

The correct way of providing TOTP codes to a user, would be to leverage a TOTP API endpoint, where the TOTP code is calculated. This method ensures the TOTP Secret isn’t transferred to the browser.

Response and Recommendations

We reported our findings to the ConnectWise compliance team, who confirmed the issue on 24 June 2024. They will be releasing a fix for this issue tomorrow, on 25 Juli. We recommend all IT-Boost users to cycle their TOTP Secrets as soon as the security update is implemented. This will help mitigate the risk of compromised OTP Secrets.

Screenshots Demonstrating the TOTP Secret Vulnerability

Below is a Fiddler request for opening a password stored in IT-Boost. The secretKey value is a base64 string which, when decoded, is the same as the TOTP Secret we provided when submitting credentials.

New password entry, with secret: pjmbggn2ydb2qkr2

The /passwords/secKey endpoint returns a JSON value with a base64 encoded string, which is the same as the provided secret: cGptYmdnbjJ5ZGIycWtyMg== decoded value: pjmbggn2ydb2qkr2

Fiddler trace of opening the saved password.

Update 2024-07-26

The vulnerability is now resolved as an TOTP api endpoint is used. Our compliments to ConnectWise for solving this issue within a month!

Latest Articles

SOAR: Block Log Analytics IP Entities on Azure Frontdoor / WAF #3
February 22, 2025
How it works Previously, I’ve blogged about two variants that we used at Prof-IT Services to block malicious IP addresses on Azure Frontdoor that were ...
The G-Door: Microsoft 365 & the risk of unmanaged Google Doc accounts
December 23, 2024
It’s time to secure Google Workspace—even if you’re not using it. Read about our recent discovered vulnerability, called 'G-Door', which allows users to bypass Microsoft ...
Automating Azure SQL Maintenance with Azure Automation
December 2, 2024
Keeping Your Azure SQL Databases Healthy: The Power of Automation In the realm of database management, maintaining optimal performance and storage efficiency for your Azure ...
Malware Analysis – Shortcuts in zip file
September 1, 2024
Recently, we encountered two distinct variants of a payload delivered through Google Drive, both containing a malicious shortcut. While these threats were successfully mitigated, it’s ...
Load More

Talk With Our IT Experts Today

Schedule a call to talk to one of our Solution Consultants, who can help guide you on your journey to choosing the right IT solution or managed service for your business.

Book a Consultation