Use of a Broken or Risky Cryptographic Algorithm in idno/known
Sep 26th 2021
In the referenced code,
known uses an insecure RNG to generate a password because, in its words; this should "mitigate security holes if cleanup fails" - unfortunately, if the cleanup fails - an attacker may be able to predict the password to the created account.
Proof of Concept
See the php documentation for
rand() that highlights its insecure nature.
This vulnerability is capable of providing an attacker with access to a test account.