#1137137 libapache2-mod-authn-yubikey sends ID and password over cleartext HTTP

Package:
libapache2-mod-authn-yubikey
Source:
libapache2-mod-authn-yubikey
Description:
Yubikey authentication provider for Apache
Submitter:
Dan Fandrich
Date:
2026-05-20 00:23:02 UTC
Severity:
normal
#1137137#5
Date:
2026-05-20 00:15:58 UTC
From:
To:
While inspecting the source of this package, I found that it seems to send
a user's client ID and password to a remote web site via a http: link, which
means it would be sent unencrypted. The suspect function is
yubikey_client_request() in authn_yubikey/libykclient.c  The URL template is:

http://api.yubico.com/wsapi/verify?id=%d&otp=%s

where the id= is set to client_id and otp= is set to "password" in
authn_check_otp().

Note that I'm not familiar with the package, I don't use it, I barely
understand what it's trying to do, and I didn't verify these results at run
time.  However, the host in question (api.yubico.com) has a valid TLS
certificate so there seems to be no reason to apply this patch:

+++ sources/authn_yubikey/libykclient.c.orig	2008-08-30 09:03:24.000000000 -0700
--- sources/authn_yubikey/libykclient.c	2026-05-19 17:12:44.010781689 -0700
@@ -201,7 +201,7 @@
 			const char *yubikey)
 {
   struct MemoryStruct chunk = { NULL, 0 };
-  const char *url_template = "http://api.yubico.com/wsapi/verify?id=%d&otp=%s";
+  const char *url_template = "https://api.yubico.com/wsapi/verify?id=%d&otp=%s";
   char *url;
   char *user_agent = NULL;
   char *status;

Whether the existing package has been exposing users' passwords in cleartext
since 2011 and the impact that may have had, I'll leave to the maintainer to
determine.

Dan