Bug with Entropia Pocket.

[Katie Chalmers]

Hey,
For those that use Entropia Pocket for 2FA I want to bring to light a curious discovery that may be a potential security risk.
When the game asks for you to enter the 6 digit code, it doesn't recognise any preceding zeros in the combination.

For example: A code of 75040 will need to be entered exactly as given, however the code of 00419 will only need the last three digits entered for the code to work.
In the rare chance that a code of 00000 Is generated, It is likely that no input would be required at all.

I am not at all familiar with how 2FA programs work behind the scenes, but in my eyes this seems like an oversight and a security risk. A 6 digit code should be 6 digits, zeros or not. Funnily enough the 2FA on the Entropia website works as intended, its just the game client that has this issue.

Can anybody with insider knowledge on these systems send me some reassurance?
Ta

 

[endermigne]

I'm not sure what your angle of looking at this is. Having leading zeros or not doesn't make any difference to how the code is generated or checked. What you mention simply shows that on the server they convert the entered value to a number and compare that to what they consider the currently correct value (actually two values as the current one leaps over for five more seconds).

These are all the same values on the server: 1, 01, 001, 0001, 00001, 000001

Not having to enter leading zeros is a very minor convenience.

 

[Gopher]

I'm not sure what your angle of looking at this is. Having leading zeros or not doesn't make any difference to how the code is generated or checked. What you mention simply shows that on the server they convert the entered value to a number and compare that to what they consider the currently correct value (actually two values as the current one leaps over for five more seconds).

These are all the same values on the server: 1, 01, 001, 0001, 00001, 000001

Not having to enter leading zeros is a very minor convenience.

Its a slight increase of % of guessing the right code if you were to try to get into an account with 2fa.

 

[endermigne]

Its a slight increase of % of guessing the right code if you were to try to get into an account with 2fa.

How so? What am I missing here?

 

[Gopher]

How so? What am I missing here?

if a code of 000054 or something generates, some1 could get it by just typing in 54

 

[Katie Chalmers]

Its a slight increase of % of guessing the right code if you were to try to get into an account with 2fa.

I initially thought this too when I posted this. But now I realise that someone trying to hack into your account would need to still account for the missing zeros by choosing not to enter them.
So likely my concern isn’t justified. Still an interesting bug though.

I also would like to know how the system would handle a code of all zeros.

 

[endermigne]

if a code of 000054 or something generates, some1 could get it by just typing in 54

So? Feel free to explain to me the difference of entering 54, 054, 0054, 00054 or 000054.

I don't know if you have some coding experience, but when converting a string to a number leading zeros have no meaning (besides making the parser believe it could be an octal number, but that's beyond this topic). That's why I put it into the first paragraph of my first answer.

I also would like to know how the system would handle a code of all zeros.

Yep, that's the real question. Then again, does it matter? Chances still are 1:1000000 then to pick the right code.

Also: how many attempts do we have before the account is locked?