Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce

Valid

Reported on

Jan 26th 2022


Description

The password-generation algorithm used in the function NewPassword() simply adds bias to the output password instead of making it easier to remember.

Proof of Concept

  • Use the NewPassword() function a large amount of times and store the output.
  • Look at the frequency of each character on a distribution graph.

Impact

This vulnerability is capable of cutting down the amount of brute-force attempts an attacker needs to try as the likelihood of each character being one of a given user's password is higher for some than others.

We are processing your report and will contact the x360ce team within 24 hours. 4 months ago
We have contacted a member of the x360ce team and are waiting to hear back 4 months ago
x360ce/x360ce maintainer
4 months ago

Maintainer


Thank you for reporting this issue. I will check for more secure random function and increase password length.

Michael Rowley submitted a
4 months ago
Michael Rowley
4 months ago

Researcher


No problem, I've submitted a patch for this issue - if it looks good and the character-set looks appropriate could you approve the report on here and merge the patch to the main branch? The password length has been changed to 12-32 characters and a standard CSPRNG has been implemented!

Michael Rowley
4 months ago

Researcher


See https://github.com/x360ce/x360ce/pull/1341

x360ce/x360ce maintainer validated this vulnerability 4 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
x360ce/x360ce maintainer confirmed that a fix has been merged on 7a5b0f 4 months ago
Michael Rowley has been awarded the fix bounty
to join this conversation