Last week my favorite IT security podcast Bli säker (Become Secure in English) published the episode The Epochalypse and the QR Code (only in Swedish) where they explained the techonology behind mobile authenticator apps. I felt I needed to refresh my TOTP algorithm support investigation from 2019 before the recording of the next episode of the Bli säker podcast. :) So this is an update to the blog post I published in July 2019 called Many Common Mobile Authenticator Apps Accept QR Codes for Modes They Don’t Support.

During 2021 I had access to a facility equipped with an alarm system from Securitas Direct. I had access as a regular user to Securitas Direct’s My Pages at mypages-pro.securitas-direct.com, which is used to administer some aspects of one’s security alarm installation. That web application suffered a CWE-384 Session Fixation vulnerability which can be used by an attacker in a so-called Man-In-The-Middle (MiTM) position. Home page of Securitas Direct My Pages In summary, if an attacker is on the same network as the victim or somewhere else between the victim and Securitas Direct’s server, and if the attacker can make the victim’s browser make an unencrypted HTTP request to a subdomain of securitas-direct.