joola.io: Weak Random Number Generator for Auth Tokens

2014-10-12T18:11:32
ID H1:31166
Type hackerone
Reporter voodookobra
Modified 2014-10-25T18:11:24

Description

https://github.com/joola/joola/blob/a534c3dca1a0deaec99c192978e61a35dd3a9069/lib/common/index.js#L90-L98

Math.random() is not sufficient for cryptographic purposes (such as authentication tokens).

An example replacement that uses window.crypto.getRandomValues() is available here:

https://github.com/resonantcore/lib/blob/9362480647b304aee6819ea94a18409241e79378/js/diceware/diceware.js#L60-L94

Further information: https://media.blackhat.com/us-13/US-13-Soeder-Black-Box-Assessment-of-Pseudorandom-Algorithms-WP.pdf