You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
Pageshot's current UUID implementations [1][2] use Math.random to generate UUIDs.
This method produces predictable IDs and someone could compute your next UUIDs based on previous. This might allow an attacker to crawl all shots.
I'm not sure how bad this is for your threat model (probably not so bad?), but I wanted to make sure this is noted.
The text was updated successfully, but these errors were encountered:
jvehent
added
the
security
Security issue: can be an active issue, or related to security hygene
label
Mar 7, 2017
I actually had your notes from this somewhere but can't find them now, and forgot to make a ticket. Since the unguessability of these strings is important we should make this change.
We should also change randomString.js, and do a search for Math.random in case there's another instance I've forgotten.
Ah, there was an IRC conversation. I didn't figure this was related.
Here's something along the lines of what I wrote to you
```
function hexString(length) {
return Array.from( // wrap this into a real array
crypto.getRandomValues(new Uint8Array(length/2)) // random uint8 array
).map(
(el) => el.toString(16).padStart(2, "0") // hex, those <127 padded with
leading 0.
).join("")
}
```
Pageshot's current UUID implementations [1] [2] use
Math.random
to generate UUIDs.This method produces predictable IDs and someone could compute your next UUIDs based on previous. This might allow an attacker to crawl all shots.
I'm not sure how bad this is for your threat model (probably not so bad?), but I wanted to make sure this is noted.
The text was updated successfully, but these errors were encountered: