Report ID Generated with Insecure RNG
defuse reported:
In #48 (moved) we are discussing the report ID being leaked through side channels. There is currently a more severe issue: The random characters in the report ID are generated with an insecure (predictable) random number generator:
import random
...
def randomStr(length, num=True): """ Returns a random a mixed lowercase, uppercase, alfanumerical (if num True) string long length """ chars = string.ascii_lowercase + string.ascii_uppercase if num: chars += string.digits return ''.join(random.choice(chars) for x in range(length))]
If the report ID is to be used for authentication, those characters should be generated with a CSPRNG.
Note: This is not part of the Least Authority audit.