You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While this attack requires a long-running Java process to both issue a large number of codes AND a user to obtain (in sequential order) a set of these codes, this is a drop-in fix that resolves this issue.
The voucher code generator implementation uses an insecure source of randomness:
https://github.com/voucherifyio/voucher-code-generator-java/blob/master/src/main/java/io/voucherify/generator/VoucherCodes.java#L7
java.util.Random
uses Knuth's linear congruence pseudorandom number generator. Practical seed recovery attacks on this generator are known: https://hal.archives-ouvertes.fr/hal-02700791/documentWhile this attack requires a long-running Java process to both issue a large number of codes AND a user to obtain (in sequential order) a set of these codes, this is a drop-in fix that resolves this issue.
See #2
The text was updated successfully, but these errors were encountered: