LiteLLM: Password hash exposure and pass-the-hash authentication bypass

Impact Three issues combine into a full authentication bypass chain: 1. Weak hashing: User passwords are stored as unsalted SHA-256 hashes, making them vulnerable to rainbow table attacks and trivially identifying users with identical passwords. 2. Hash exposure: Multiple API endpoints /user/info...

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users

Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to othe...

PT-2022-20589 · Pypi · Flask-Appbuilder

Name of the Vulnerable Software and Affected Versions: Flask-AppBuilder versions prior to 4.1.3 Description: An authenticated Admin user could query other users by their salted and hashed passwords strings, using partial hashed password strings. The response would not include the hashed passwords...

CVE-2020-5229

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially...

Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data

A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc. With a current market capitalization of over $5 billion, Zyng...

XKCD Forum Hacked – Over 562,000 Users' Account Details Leaked

XKCD —one of the most popular webcomic platforms known for its geeky tech humor and other science-laden comic strips on romance, sarcasm, math, and language—has suffered a data breach exposing data of its forum users. The security breach occurred two months ago, according to security researcher...

Raritan PowerIQ Default Accounts

Hello list, Raritan PowerIQ ships with a few default accounts and passwords/hashes. For the web interface, there are technically 3 default users. webapi:sl33p30F00dumass! epiqapi:raritan admin:raritan You can technically authenticate with the epiqapi user on the web interface and the PowerIQ API,...

Extreme GPU Bruteforcer

Extreme GPU Bruteforcer is a professional solution for the recovery of passwords from hashes using GPU. The software supports hashes of the following types: MySQL, MySQL5, DESUnix, MD4, MD5, MD5Unix, MD5APR, MD5phpBB3, MD5WordPress, LM, NTLM, SHA-1 and many others. On modern graphics cards from...

Ravan : A Distributed Hash Brute Forcer !

A short post for Ravan this time. It is a JavaScript based Distributed Computing system that can perform brute force attacks on salted hashes by distributing the task across several browsers. Salted and plain versions of the following hashing algorithms are currently supported: MD5 SHA1 SHA256...