bug: 2FAS generates incorrect TOTP given a specific secret key compared to other apps and online TOTP generators

[bvwpo]

Bug type

Error at runtime

App version

5.3.11

Device environment

iOS 18.2, iPhone 13 mini

Bug description

Add a new token with secret key 6G2NUZHN6QCF7KDAV and with default settings (TOTP, SHA1, 30 sec, 6 digits). The code generated with this token doesn't match any other TOTP app, or online TOTP generators such as https://auth.web.id, https://totp.danhersam.com or https://2fasolution.com/totp.html.

Solution

I don't have a solution but, by playing around, I was able to find that the code generated with the secret key 6G2NUZHN6QCF7KDAV by other apps, is generated by 2FAS with the secret key 6G2NUZHN6QCF7KDA (last letter deleted).

In addition, the code generated with the secret key 6G2NUZHN6QCF7KDAV by 2FAS, is generated by other apps with the secret keys:
6G2NUZHN6QCF7KDAVA
6G2NUZHN6QCF7KDAVB
6G2NUZHN6QCF7KDAVC
6G2NUZHN6QCF7KDAVD

Additional context

No response

Acknowledgements

• This issue is not a duplicate of an existing bug report.
• I understand that security vulnerabilities should be reported to [email protected] instead of on GitHub.
• I have chosen an appropriate title.
• All requested information has been provided properly.