Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure Random #3

Open
FanjunMeng opened this issue Oct 18, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@FanjunMeng
Copy link

commented Oct 18, 2018

return simplifiedChineseTexts[new Random().nextInt(simplifiedChineseTexts.length)];

I think it should be use a secure random algorithm “SecureRandom” to generate verifycode
An attacker will simply compute the seed from the output values observed. This takes significantly less time than 2^48 in the case of java.util.Random.
It is shown that you can predict future Random outputs observing only two(!) output values in time roughly 2^16.

@helloworldtang

This comment has been minimized.

Copy link

commented Nov 8, 2018

mark

@aiic03

This comment has been minimized.

Copy link
Contributor

commented Feb 6, 2019

Since Github has kept giving alert on the insufficient randomness in this project, I suggest that we replace all the usage of new Random() with new SecureRandom() to avoid the risk.

CVE-2018-18531

@aiic03

This comment has been minimized.

Copy link
Contributor

commented Feb 6, 2019

#4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.