Use of a Broken or Risky Cryptographic Algorithm in idno/known


Reported on

Sep 26th 2021


In the referenced code, known uses an insecure RNG to generate a password because, in its words; this should "mitigate security holes if cleanup fails" - unfortunately, if the cleanup fails - an attacker may be able to predict the password to the created account.

Proof of Concept

See the php documentation for rand() that highlights its insecure nature.


This vulnerability is capable of providing an attacker with access to a test account.

We have contacted a member of the idno/known team and are waiting to hear back 2 months ago
Ben Werdmuller validated this vulnerability 2 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ben Werdmuller confirmed that a fix has been merged on f57776 2 months ago
Ben Werdmuller has been awarded the fix bounty
MutateTest.php#L14 has been validated