Website login issue

[michaelm]

Hi,
Login on desktop machine using SQRL app on my phone = no issues.
Login on the phone itself 'clicking' the QR code/sqrl logo = issues. See attached screenshot(s) - 2 steps (password screen in between these)

Needless to say, "login anyway" doesn't work and just takes you back to screen 1.

Any ideas what this might be? Pixel 2 phone, if relevant.

 

[Carl]

Ah, I hadn't seen those forum pages!
Anyway, it seems that there's too many characters being kept in the domain name string, since it was listed as: forums.grc.com/c
"/c" should not have been kept from the sqrl link "sqrl://forums.grc.com/cli.sqrl?x=2&nut=...&can=..."

Edit: well, since x=2 is used, on purpose, I guess they WANTED to keep that part in there! OK...

 

[ahauser]

Hi @michaelm, and thanks for taking the time to report this issue.

First question: Can you reproduce it?
Like @Carl said, this definitely looks like someone was messing with the x= parameter right at the time when you were hitting the "login with sqrl" button.

If you *can* reproduce it though, you might have found a nasty bug, and I'd definitely want to follow up on that then.
Looking forward to your feedback.

 

[PHolder]

@ahauser The x=2 is definitely part of the forum URL over at https://forums.grc.com/ I don't understand why it's configured that way though.. I sent a message off to @Steve about it, to get an explanation. Hopefully, he'll chime in here.

 

[Paul F]

I believe Steve is using the same SQRL server for multiple sites and uses x=n to distinguish between them. There is a mention of it here:

Loading…

www.GRC.com

 

[Chauncy]

I'm also having the same problem logging into the forum on my android phone, Galaxy S9+ to be exact, using Firefox. I thought that an update of some sort messed something up but didn't have time to look into it until now.

It was odd to see the spoof protection warning on a same device login. That "/c" at the end seems to have triggered it. There was no "/c" present at the password entry. The other strange thing is I can use the app to scan the QR Code on my desktop computer and it it works fine to log me in there.

There is something happening that the developers need to take a look at.

 

[ahauser]

Thanks for all the input, guys!

I guess it's fair to assume at this point that there indeed is a problem with the way the Android client handles the x=n parameter when performing the anti-spoof protection checks, so I've created a Github issue for this:

kalaspuffar/secure-quick-reliable-login

This repository is an implementation for SQRL (Secure Quick Reliable Login) on Android. - kalaspuffar/secure-quick-reliable-login

github.com

I might be stating the obvious here, but just want to remind everyone that the development of the Android client (and the SQRL development in general, with the exception of @Jeffa's iOS client) and has come to a grinding halt quite a while ago, after Steve has left the project in favour of his work on SpinRite 6.1. So, chances are that those issues are not going to get immediate attention from the devs.

 

[ahauser]

I've tried reproducing this issue on 3 different devices, but it worked flawlessly each and every time. Registered a new account, logged in, logged out and back in again, all without any troubles.

@michaelm and @Chauncy:
Any more clues on what could trigger the issue for me (non-standard identity settings, etc.) ??