QuickAuth Pebble loads TOTP keys in the clear over HTTP and is susceptible to man-in-the-middle attacks.
427e900319b144508503fda3ef825f8938285cdb168278c868e75d07bf751d30
QuickAuth Pebble application loads the configuration page via HTTP. As such it is possible for an attacker to setup and use a MITM proxy to inject Javascript which posts the key to an external site to steal the TOTP keys as they are being updated on the Pebble app.
Original GitHub issue : https://github.com/JumpMaster/QuickAuth/issues/25