2018-0319 Solution - Experience Is Making Mistakes

Challenge type: Code review

Affected: https://github.com/markbates/goth

Fixed in: version n/a

Original code: found here

Description

This week's challenge again looked at cryptography but from a different angle. In this code, the gothic library defines a function which is relying on a weak cryptographic primitive, math/random. There has been a lot of research over the years on multiple languages that have cited the use of built-in math classes as insecure for cryptographic uses. For further reading, check out the following links:

Solution

While there is no fix for this vulnerability at this time, addressing the issue would require that the developer swap out the use of `math/random` for `crypto/random`. The following article walks through the process - https://golang.org/pkg/crypto/rand/

If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.

Leave a comment