[whitepoplar]

TOTP tokens can absolutely be intercepted. A MITM attack can work like this:

1) User inputs username and pw into spurious site.

2) Spurious site prompts for the user's TOTP token.

3) Spurious site proceeds to immediately log in to the real site w/ username, pw, and valid TOTP token.

4) Bad guys get an HTTP session cookie which for many sites lasts practically indefinitely.