Logins fail using one-time passwords.

[Derek Mahar]

Logins using one-time passwords are failing for me.  I don't know for which earlier version they were working, but it's been only recently that they've started failing.

Configuration:

Clipperz d0eabc16f6a857faf4f2e65e3582c348016baede

Chrome 47.0.2526.80 m (Windows 10)

Firefox 42.0 (Windows 10, Lubuntu 15.10)

Derek

[Marco Barulli]

Hi Derek,

did you try generating new OTPs and login using the new ones?

Did that work?

If it keeps failing could you open up the Console in Chrome (View > Developer > Javascript Console) and send me the errors you see there?

Many thanks,

Marco

--
Clipperz - keep it to yourself!
https://clipperz.is

Marco Barulli
email: ma...@clipperz.is
mobile: +49 176 8827 2185
skype: mbarulli

--
You received this message because you are subscribed to the Google Groups "Clipperz" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+u...@googlegroups.com.
To post to this group, send email to clip...@googlegroups.com.
Visit this group at http://groups.google.com/group/clipperz.
For more options, visit https://groups.google.com/d/optout.

[Derek Mahar]

Marco:

Generating a new OTP did not work.

Here is the output that Firefox recorded in Console under "More tools..." > "Developer Tools".  I couldn't find the JavaScript Console using the menu path that you provided.

Error while decrypting data [3]

(index):2441 ERROR [Crypto[0.3].deferredDecrypt] m.NamedError {message: "Clipperz.Crypto.Base.exception.CorruptedMessage", name: "Clipperz.Crypto.Base.exception.CorruptedMessage"}

(index):2441 ERROR [Connction.redeemOneTimePassword] m.NamedError {message: "Clipperz.Crypto.Base.exception.CorruptedMessage", name: "Clipperz.Crypto.Base.exception.CorruptedMessage"}

(index):2441 ERROR [Is the passphrase an OTP <then>] m.NamedError {message: "Clipperz.Crypto.Base.exception.CorruptedMessage", name: "Clipperz.Crypto.Base.exception.CorruptedMessage"}

(index):1422 POST https://clipperz.is/json 400 (Bad Request)MochiKit.Base.update.sendXMLHttpRequest @ (index):1422MochiKit.Base.update._doXHR @ (index):2426newfunc @ (index):1279(anonymous function) @ (index):1433MochiKit.Async.Deferred._fire @ (index):1414MochiKit.Async.Deferred._resback @ (index):1399MochiKit.Async.Deferred.callback @ (index):1401newfunc @ (index):1279

(index):2441 ERROR [Proxy.JSON._sendMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Proxy.sendMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Proxy.processMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Connection.login] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):1422 POST https://clipperz.is/json 400 (Bad Request)MochiKit.Base.update.sendXMLHttpRequest @ (index):1422MochiKit.Base.update._doXHR @ (index):2426newfunc @ (index):1279(anonymous function) @ (index):1433MochiKit.Async.Deferred._fire @ (index):1414MochiKit.Async.Deferred._resback @ (index):1399MochiKit.Async.Deferred.callback @ (index):1401newfunc @ (index):1279

(index):2441 ERROR [Proxy.JSON._sendMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Proxy.sendMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Proxy.processMessage] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [Connection.login] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [User.handleConnectionFallback - failed] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [User.loginWithPassphrase] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [User.handleConnectionFallback - retry] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [User.loginWithPassphrase] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [User.login] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

(index):2441 ERROR [MainController.doLogin] m.NamedError {req: XMLHttpRequest, message: "Request failed", number: 400}

Derek

[Marco Barulli]

Working on it.

Thanks for your patience and support.
Best,

Marco
--
Clipperz - keep it to yourself!
https://clipperz.is

Marco Barulli
email: ma...@clipperz.is
mobile: +49 176 8827 2185
skype: mbarulli

[John Clements]

Any progress on this? I decided to try out a one-time password today, and ... it didn't work, I get a "Login Failed", as though I'd entered the wrong password. Tried pasting with and without spaces and dashes. After reading messages in this group, deleted and re-typed spaces and hyphens. Still no luck.

First off: can someone confirm that one-time passwords are working for *anyone*?

Secondly, basic info:

clipperz version: f8a0ea7f62402ffa2a79235012adcb77f085b0d4
browser: Firefox v51.0.1(64 bit)
OS: macos 10.12.3 (16D32)

Javascript console output for failure:

unreachable code after return statement[Learn More]  app:7785:981
### PRNG.readyToGenerateRandomBytes  app:6745:539
Error while decrypting data [3]  app:6745:539
ERROR [Crypto[0.3].deferredDecrypt] Object { message: "Clipperz.Crypto.Base.exception.Corr…", name: "Clipperz.Crypto.Base.exception.Corr…", stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Connction.redeemOneTimePassword] Object { message: "Clipperz.Crypto.Base.exception.Corr…", name: "Clipperz.Crypto.Base.exception.Corr…", stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Is the passphrase an OTP <then>] Object { message: "Clipperz.Crypto.Base.exception.Corr…", name: "Clipperz.Crypto.Base.exception.Corr…", stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.JSON._sendMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.sendMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.processMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Connection.login] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.JSON._sendMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.sendMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Proxy.processMessage] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [Connection.login] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [User.handleConnectionFallback - failed] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [User.loginWithPassphrase] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [User.handleConnectionFallback - retry] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [User.loginWithPassphrase] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539
ERROR [User.login] Object { req: XMLHttpRequest, message: "Request failed", number: 400, stack: "MochiKit.Base.__new__@https://clipp…" }  app:6745:539

It sure looks like everything else is cascading from that

Error while decrypting data [3]  app:6745:539

line.

Please restore my faith in your product!

Many thanks,

John Clements

[giulio...@gmail.com]

Hello John,

I am very sorry for the extended issues you are having with OTP feature. :(

I have just tried to use an OTP with the test joe/clipperz account and it worked as expected [1].

This both with an OTP already available in the account, and a newly created OTP.

So it looks like the OTP feature is –at least in some context– actually working.

Could you please try to use OTPs with the joe/clipperz account and let us know if they worked for you?

Cheers,

Giulio Cesare

[1]: as expected I mean that I entered 'joe' in the username field, and the copied OTP in the passphrase field.

--

You received this message because you are subscribed to the Google Groups "Clipperz" group.

To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+unsubscribe@googlegroups.com.

To post to this group, send email to clip...@googlegroups.com.

Visit this group at https://groups.google.com/group/clipperz.

[Derek Mahar]

What is the joe/clipperz account? I haven't tried OTP in a long time, but will try again later this morning.

[Taowa]

Hi,

I've tried to generate and use OTPs with an account I just created (testNV/testNV). All generated OTPs failed. I've also just tried the joe account on mobile Firefox and Android's AOSP browser and newly generated passwords have failed.

Taowa

To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+u...@googlegroups.com.

[giulio...@gmail.com]

Hello Taowa,

I have just tried the testNV/testNV account and the OTP worked as expected.

At this point, the OTP miss behaviour seems to be a browser related issue.

Could you please provide more details on the actual setup used to do the tests?

Thanks,

Giulio Cesare

To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+unsubscribe@googlegroups.com.

[John Clements]

I’m also continuing to see failures on my system (setup info included below, but let me copy it:

> clipperz version: f8a0ea7f62402ffa2a79235012adcb77f085b0d4
> browser: Firefox v51.0.1(64 bit)
> OS: macos 10.12.3 (16D32)

I also see the same error on these browsers:

Chrome: Version 56.0.2924.87 (64-bit)
Safari: Version 10.0.3 (12602.4.8)

To make absolutely sure that we’re on the same page, here’s my testing procedure

1) Start new browser.
2) in URL box, enter https://www.clipperz.is/
3) enter into boxes:
login : testNV
password : a1vv kkzy - d6wa yxgv - m974 pfze - 0h9s xzwg
4) Click “Login” button.

After about five seconds, I see “Failed” (and the X).

Let me know if you’re unable to replicate this.

First rule of programming: in 95% of cases, it’s going to turn out to be something simple. But it’ll still take you 12 hours of work to figure out what it is.

Also: If you like, I can use e.g. ZAP proxy to see what bytes are actually going out on the wire.

John Clements

[giulio...@gmail.com]

Hello John,

I tried to enter using the OTP you inserted in your message (copied from the web UI of GMail), and I could not enter.

I logged in with regular username/password, copied the value of the same OTP from the OTP list, and could then enter using its value.

I compared the two values using an Hex editor, and they were just the same.

I did these test with the same version of Firefox you are using, on MacOS (10.12.3 - 16D32).

The final URL should be https://clipper.is/app but I suppose this is what you were using too.

I have tried both typing 'enter' and clicking on the 'login' button, and both options worked the same (as I would have expected, but I double checked it anyway).

I am very puzzled by this behaviour. :(

Do you have any plugin installed in your browser? (I suppose no, as you tried two different browsers with the same effect, but still worth asking).

Could you please try to report the log of the "network" panel in the inspector? Just to check if the application does all the expected round trip to the server to complete the login using the OTP process, or if it hangs earlier.

Sorry again for all the trouble; and thanks for the support.

Cheers,

Giulio Cesare

> To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+unsubscribe@googlegroups.com.

> To post to this group, send email to clip...@googlegroups.com.
> Visit this group at https://groups.google.com/group/clipperz.
> For more options, visit https://groups.google.com/d/optout.
>



--
You received this message because you are subscribed to the Google Groups "Clipperz" group.

To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+unsubscribe@googlegroups.com.

[John Clements]

> On Mar 7, 2017, at 12:01 AM, giulio...@gmail.com wrote:
>
> Hello John,
>
> I tried to enter using the OTP you inserted in your message (copied from the web UI of GMail), and I could not enter.
> I logged in with regular username/password, copied the value of the same OTP from the OTP list, and could then enter using its value.
> I compared the two values using an Hex editor, and they were just the same.

Ah! Now we’re getting somewhere. I can confirm that copying and pasting from the browser works, and that copying and pasting from other sources does not. I’m wondering whether this has to do with the behavior of the copy buffer in macos.

Either way, it looks like you can now reproduce both the good and the bad behavior, so it should be pretty easy to debug the JS, for someone that knows the source code. My strong suspicion is that the contents fetched from the text and/or password box are different in the two cases. Could be as simple as needing to trim whitespace? Maybe 2-5 hours of work?

Thanks for your hard work!

John Clements

[John Clements]

> On Mar 7, 2017, at 9:03 AM, John Clements <clem...@brinckerhoff.org> wrote:
>
>
>> On Mar 7, 2017, at 12:01 AM, giulio...@gmail.com wrote:
>>
>> Hello John,
>>
>> I tried to enter using the OTP you inserted in your message (copied from the web UI of GMail), and I could not enter.
>> I logged in with regular username/password, copied the value of the same OTP from the OTP list, and could then enter using its value.
>> I compared the two values using an Hex editor, and they were just the same.
>
> Ah! Now we’re getting somewhere. I can confirm that copying and pasting from the browser works, and that copying and pasting from other sources does not. I’m wondering whether this has to do with the behavior of the copy buffer in macos.
>
> Either way, it looks like you can now reproduce both the good and the bad behavior, so it should be pretty easy to debug the JS, for someone that knows the source code. My strong suspicion is that the contents fetched from the text and/or password box are different in the two cases. Could be as simple as needing to trim whitespace? Maybe 2-5 hours of work?
>
> Thanks for your hard work!

Oh… oh dear. Now *I’m* unable to replicate the failure. Specifically, it appears that copying and pasting one-time passwords for the testNV account into a text editor and then back into the browser now works. That’s not good…

John Clements

[John Clements]

As you asked, I took a look at network traffic.

Currently, I’m unable to replicate the failure.

*However*, I do notice something interesting; on a successful “regular” (that is, non-OTP) login, I see only four requests; a knock, a handshake/connect, a handshake/credentialCheck, and a message/getUserDetails

On a successful OTP login, however, I see a different sequence:
knock, handshake/oneTimePassword, knock, handshake/connect, handshake/credentialCheck, message/getUserDetails, message/saveChanges

It makes sense to me that the OTP login would have a different sequence, but the duplicated ‘knock’ and the handshake/connect alarms me; it looks like maybe Clipperz is trying the password as an OTP and also as a regular password. My concern is that a race condition could occur where out-of-order packet receipt could make login fail.

Does this make sense?

John Clements

[giulio...@gmail.com]

Hello John,

the OTP sequence makes sense to me; the duplicate 'knock' could be possibly avoided, but it would require to further customise the login procedure ('knock' being the first step required to get a 'ticket' to pay the 'toll' before starting submitting further requests protected through 'hashcash')

I am not much concerned about race conditions, as all steps are done "sequentially" through the use of deferred objects.

But I am very concerned about not being able to replicate the failure, as it means there is still some issues I am not able to investigate. :(

Thanks for the patience.

Giulio Cesare

[k mcleod]

John Clements

Hi John and Giulio Cesare

I am not sure if I am doing this properly or not, but here is my 2 cents and if I am out of line or incorrect please do let me know that I am out to lunch or whatever. But I want to help if I can for CLIPPERZ to fix this OTP feature to work again please.

So I have been faithfully been using CLIPPERZ for several years (LOVE IT) and a few years ago I had no issues using OTPs at all. Then a couple years ago something changed and I was never able to log in using an OTP at all. OTPs NEVER once worked for me in this last couple years. I was reading today this post and then I saw in this post that a login was successful and was reported here as being successful. Then a short time later it was reported that the copy paste OTP was tried again and it was not working again all of a sudden.

Well that is when through all my frustration for trying hundreds of times for past couple of years I tried again today. Well today after about 3-5 dozen tries of the many different ways and different formats of copy and pastes I again was having constant failed login attempts with using the OTPs. Not one successfull OTP login.

Then I read here in this post that one user did a web site copy and paste and they were successful with a login(possibly only one time it worked and it seemed never repeated to work anymore). But then later user reported here it did not work anymore.

So I tried to build on that one post user reported here that user had a successful attempt. So I tried a copy and paste from web site and pasted it into web page and VOILA all of a sudden for some reason I was successful. However, here is what I found how I was successful and then not successful many times over and over. Here is what I consistently time and time again successfully did an OTP login and next one would fail.....consistently. The successful and unsuccessful logins consistently happened every time whenever I wanted to make it happen. I am not a programmer but just one obsessed person to try over and over again different combinations of things and here is what I found that I could make successful logins using OTPs successfully.

So here is how you are guaranteed to get your OTP to work every time as a test. I am not saying it is working properly like CLIPPERZ is suppose to but maybe someone can figure out in the code why it works the way I do it so it can be checked and fixed.

First step is you login into CLIPPERZ the regular way (any browser it doesn't matter as it works in all of them .....Chrome, EDGE, Firefox etc) using your master password. So now you are logged in to what we will call is web browser tab WINDOW #1 using your MASTER PASSWORD. Then you go to this WINDOW#1 your CLIPPERZ ACCOUNT to get one of your previously saved or new OTP password. You highlight the one OTP password and copy it by CTRL C. Next STEP #2 is now you must only open a new browser TAB window in the same browser as you have WINDOW #1 in. It seems the tabs must be side by side in same browser window. You cannot use another whole new window and/or do not use a different browser type, as you must use same browser window with both browser TABS side by side it seems. You must stay absolutely stay logged into CLIPPERZ in WINDOW #1. Do not log out of WINDOW #1. If you close or log out of WINDOW #1 then your copied OTP will not work. You then type your user name in WINDOW #2 CLIPPERZ web site user name box and then paste or CTRL V your OTP password in password box you copied form WINDOW #1 and hit LOGIN or enter and VOILA you are in with one OTP used up. If you logout of WINDOW#2 and then go back to WINDOW #1 and copy another OTP and try it again by opening another same page tab WINDOW#2 it will not work. But if you close WINDOW#2 by clicking the X in top right corner of that window and just close WINDOW #2 then you pretty much most of the time will be able to copy CTRL C another OTP from WINDOW #1 and open a brand new tab on same browser screen and do same as above for WINDOW #2 then I find it works again with a copy of another different OTP. Now if you find you can't log into WINDOW#2 then you must close both WINDOWS #1 and #2 and then start all over again as in STEP #1 above. I did this 2 dozen times in a row and always starting all over and over again at step #1 and it works every time. And if you do close both WINDOWS #1 & #2 and go to login to a new WINDOW#1 and get another new OTP you will see that the OLD OTPs are used up and not useable anymore. Anyway could someone please let me know this is true for my findings and it works for at least getting something to happen and partially works (maybe not properly as it should) but the experts can have a chance to finally figure this out and fix it so we all can use it finally after all these years. I hope I am right with the above. I will try it again tomorrow and check back here soon some time after January 17, 2019.

 Sorry for the long detailed explanation but I want someone else to have success to test it out too and prove my findings.

Thanks

K Mcleod

[k mcleod]

I GOT IT! I think I found something very interesting and can replicate the error and can make the OTP work every time and see below what I found.

Then I read here in this post that one user did a web site copy and paste and they were successful with a login(possibly only one time it worked and it seemed never repeated to work anymore). But then later user reported here it did not work anymore.

So I tried to build on that one post user reported here that user had a successful attempt. So I tried a copy and paste from web site and pasted it into web page and VOILA all of a sudden for some reason I was successful. However, here is what I found how I was successful and then not successful many times over and over. Here is what I consistently time and time again successfully did an OTP login and next one would fail.....consistently. The successful and unsuccessful logins consistently happened every time whenever I wanted to make it happen. I am not a programmer but just one obsessed person to try over and over again different combinations of things and here is what I found that I could make successful logins using OTPs successfully.

So here is how you are guaranteed to get your OTP to work every time as a test. I am not saying it is working properly like CLIPPERZ is suppose to but maybe someone can figure out in the code why it works the way I do it so it can be checked and fixed.

First step is you login into CLIPPERZ the regular way (any browser it doesn't matter as it works in all of them .....Chrome, EDGE, Firefox etc) using your master password. So now you are logged in to what we will call is web browser tab WINDOW #1 using your MASTER PASSWORD. Then you go to this WINDOW#1 your CLIPPERZ ACCOUNT to get one of your previously saved or new OTP password. You highlight the one OTP password and copy it by CTRL C. Next STEP #2 is now you must only open a new browser TAB window in the same browser as you have WINDOW #1 in. It seems the tabs must be side by side in same browser window. You cannot use another whole new window and/or do not use a different browser type, as you must use same browser window with both browser TABS side by side it seems. You must stay absolutely stay logged into CLIPPERZ in WINDOW #1. Do not log out of WINDOW #1. If you close or log out of WINDOW #1 then your copied OTP will not work. You then type your user name in WINDOW #2 CLIPPERZ web site user name box and then paste or CTRL V your OTP password in password box you copied form WINDOW #1 and hit LOGIN or enter and VOILA you are in with one OTP used up. If you logout of WINDOW#2 and then go back to WINDOW #1 and copy another OTP and try it again by opening another same page tab WINDOW#2 it will not work. But if you close WINDOW#2 by clicking the X in top right corner of that window and just close WINDOW #2 then you pretty much most of the time will be able to copy CTRL C another OTP from WINDOW #1 and open a brand new tab on same browser screen and do same as above for WINDOW #2 then I find it works again with a copy of another different OTP. Now if you find you can't log into WINDOW#2 then you must close both WINDOWS #1 and #2 and then start all over again as in STEP #1 above. I did this 2 dozen times in a row and always starting all over and over again at step #1 and it works every time. And if you do close both WINDOWS #1 & #2 and go to login to a new WINDOW#1 and get another new OTP you will see that the OLD OTPs are used up and not useable anymore. Anyway could someone please let me know this is true for my findings and it works for at least getting something to happen and partially works (maybe not properly as it should) but the experts can have a chance to finally figure this out and fix it so we all can use it finally after all these years. I hope I am right with the above. I will try it again tomorrow and check back here soon some time after January 17, 2019.

 

 Sorry for the long detailed explanation but I want someone else to have success to test it out too and prove my findings.

Thanks

K Mcleod