Use of a Broken or Risky Cryptographic Algorithm in idno/known


Reported on

Sep 26th 2021


In the referenced code, known uses an insecure RNG to generate a password because, in its words; this should "mitigate security holes if cleanup fails" - unfortunately, if the cleanup fails - an attacker may be able to predict the password to the created account.

Proof of Concept

See the php documentation for rand() that highlights its insecure nature.


This vulnerability is capable of providing an attacker with access to a test account.

We have contacted a member of the idno/known team and are waiting to hear back 2 years ago
Ben Werdmuller validated this vulnerability 2 years ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ben Werdmuller marked this as fixed with commit f57776 2 years ago
Ben Werdmuller has been awarded the fix bounty
This vulnerability will not receive a CVE
MutateTest.php#L14 has been validated
to join this conversation