A small amount of data that does not belong to any file
For a website I shall not name, I was getting annoyed with the short session time. And as all lazy people I couldn't be bothered to pull out the OTP app all the time. So here is the "One Click MFA". If you don't understand the risks and downsides of using this script, I know a prince in Nigeria who needs your help.
You can make this script smaller by converting your OTP secret into a integer yourself so you don't need base32Decode(). I recommend to obfuscate the password and the secret with atob() or something. Join all the lines and copy paste the script into a bookmark.
javascript:(function() {
var username = "[USERNAME]";
var password = "[PASSWORD]";
var secret = "[OTP SECRET]";
var base_url = "https://trader.degiro.[COUNTRY]/"; // see degiro.com for supported countries
if (!location.href.startsWith()) {
alert("This bookmarklet can only be used on " + base_url);
return;
}
function base32Decode(base32) {
const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
let bits = '';
let result = '';
for (const char of base32.replace(/=+$/, '')) {
const val = alphabet.indexOf(char.toUpperCase());
if (val === -1) throw new Error('Invalid base32 character.');
bits += val.toString(2).padStart(5, '0');
}
for (let i = 0; i + 8 <= bits.length; i += 8) {
result += String.fromCharCode(parseInt(bits.slice(i, i + 8), 2));
}
return result;
}
async function generateOTP(secret, timeStep = 30) {
const decodedSecret = base32Decode(secret);
const timeSlice = Math.floor(Date.now() / 1000 / timeStep);
const timeBuffer = new ArrayBuffer(8);
const timeArray = new DataView(timeBuffer);
timeArray.setUint32(4, timeSlice);
const keyBytes = new Uint8Array(decodedSecret.split('').map(c => c.charCodeAt(0)));
const cryptoKey = await crypto.subtle.importKey("raw", keyBytes, { name: "HMAC", hash: "SHA-1" }, false, ["sign"]);
const hmac = new Uint8Array(await crypto.subtle.sign("HMAC", cryptoKey, timeBuffer));
const offset = hmac[hmac.length - 1] & 0x0f;
const binary = ((hmac[offset] & 0x7f) << 24) | ((hmac[offset + 1] & 0xff) << 16) | ((hmac[offset + 2] & 0xff) << 8) | (hmac[offset + 3] & 0xff);
const otp = binary % 10 ** 6;
return otp.toString().padStart(6, '0');
}
generateOTP(secret).then(otp => {
fetch(base_url + "login/secure/login/totp", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
username: username,
password: password,
oneTimePassword: otp,
queryParams: []
})
}).then(response => {
if (response.ok) {
window.location.href = base_url;
} else {
alert("Login failed. Please check your credentials.");
}
}).catch(error => {
console.error("Error:", error);
alert("An error occurred. Check the console for details.");
});
}).catch(error => {
console.error("Error generating OTP:", error);
alert("Failed to generate OTP. Check the console for details.");
});
})();