Recently, we discovered a security issue with how IT-Boost handles TOTP secrets.

IT-Boost can calculate OTP codes, making it ideal for sharing credentials within a team. When a user loses access to IT-Boost, they also lose access to the credentials and TOTP generator. However, we found that TOTP secrets may not be as secure as assumed since the codes are calculated in the browser instead of on a backend server.

Blog by Jeremy Pot.

TOTP Secret exposure risks

Best Practices for TOTP Code Generation

The correct way of providing TOTP codes to a user, would be to leverage a TOTP API endpoint, where the TOTP code is calculated. This method ensures the TOTP Secret isn’t transferred to the browser.

Response and Recommendations

We reported our findings to the ConnectWise compliance team, who confirmed the issue on 24 June 2024. They will be releasing a fix for this issue tomorrow, on 25 Juli. We recommend all IT-Boost users to cycle their TOTP Secrets as soon as the security update is implemented. This will help mitigate the risk of compromised OTP Secrets.

Screenshots Demonstrating the TOTP Secret Vulnerability

Below is a Fiddler request for opening a password stored in IT-Boost. The secretKey value is a base64 string which, when decoded, is the same as the TOTP Secret we provided when submitting credentials.

New password entry, with secret: pjmbggn2ydb2qkr2

The /passwords/secKey endpoint returns a JSON value with a base64 encoded string, which is the same as the provided secret: cGptYmdnbjJ5ZGIycWtyMg== decoded value: pjmbggn2ydb2qkr2

Update 2024-07-26

The vulnerability is now resolved as an TOTP api endpoint is used. Our compliments to ConnectWise for solving this issue within a month!