Skip to content

Insecure Random #3

Open
Open
@FanjunMeng

Description

@FanjunMeng

return simplifiedChineseTexts[new Random().nextInt(simplifiedChineseTexts.length)];

I think it should be use a secure random algorithm “SecureRandom” to generate verifycode
An attacker will simply compute the seed from the output values observed. This takes significantly less time than 2^48 in the case of java.util.Random.
It is shown that you can predict future Random outputs observing only two(!) output values in time roughly 2^16.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions