Use of a Risky Cryptographic Primitive in x360ce/x360ce

Valid

Reported on

Jan 26th 2022


Description

x360ce uses the .NET Random and Guid classes to generate random numbers/bytes that are used for sensitive purposes .

Proof of Concept

None provided.

Impact

This vulnerability is capable of allowing attackers to predict sensitive information on x360ce's backend (see the 'occurances' section for context.)

We are processing your report and will contact the x360ce team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the x360ce team and are waiting to hear back 4 months ago
x360ce/x360ce maintainer
4 months ago

Maintainer


Thank you for reporting. I will see if it can be replaced with more secure classes.

Michael Rowley submitted a
4 months ago
Michael Rowley
4 months ago

Researcher


No problem, I've submitted a patch for this issue - if it looks good and the character-set looks appropriate could you approve the report on here and merge the patch to main?

(The new version uses RandomNumberGenerator which is a CSPRNG offered by Microsoft as part of the .NET standard System.Security.Cryptography library)

Michael Rowley
4 months ago

Researcher


See https://github.com/x360ce/x360ce/pull/1341

x360ce/x360ce maintainer validated this vulnerability 4 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
x360ce/x360ce maintainer confirmed that a fix has been merged on 7a5b0f 4 months ago
Michael Rowley has been awarded the fix bounty
to join this conversation