Skip to content

Voucher code generator uses insecure randomness to generate codes #3

New issue
New issue
Open
Open
Voucher code generator uses insecure randomness to generate codes#3
@chgg-kboberg

Description

@chgg-kboberg
chgg-kboberg
opened on Nov 10, 2021

The voucher code generator implementation uses an insecure source of randomness:

https://github.com/voucherifyio/voucher-code-generator-java/blob/master/src/main/java/io/voucherify/generator/VoucherCodes.java#L7

java.util.Random uses Knuth's linear congruence pseudorandom number generator. Practical seed recovery attacks on this generator are known: https://hal.archives-ouvertes.fr/hal-02700791/document

While this attack requires a long-running Java process to both issue a large number of codes AND a user to obtain (in sequential order) a set of these codes, this is a drop-in fix that resolves this issue.

See #2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions