Password tokens easily predicted by PoC exploit

App generator tool JHipster Kotlin fixes fundamental cryptographic bug

UPDATED Use of a cryptographically weak pseudo random number generator (PRNG) in certain versions of JHipster Kotlin poses a risk for developers.

JHipster is an open source package that’s used to generate web applications and microservices. The base framework only works with Java, but JHipster Kotlin makes it compatible with Kotlin, a more modern cross-platform programming language.

Problems with PRNGs often crop up as problems in the development of secure systems. The effect of the recently resolved issue on JHipster Kotlin is more extreme than most.

The security weakness makes it possible for an attacker to generate a password reset email and, using that token, predict others’ password reset tokens.

This bug opens the door up to range of potential attacks, including the possibility of requesting an administrator’s password reset token in order to take over a privileged account.

Hackers have developed a proof of concept exploit that involves “taking one RNG value generated RandomStringUtils and reversing it to generate all of the past/future RNG values public since March 3rd, 2018”.

The problem arises because JHipster Kotlin relies upon Apache Commons Lang 3 RandomStringUtils to handle PRNGs and this technology is insecure.

Fortunately, a ready fix is available. Developers are advised to recompile applications using JHipster Kotlin 1.2.0 or above or, failing that, to apply workarounds as detailed in a recent advisory on GitHub.

There are 14.6k instances of vulnerable applications on GitHub because of the issue, according to software engineer Jonathan Leitschuh.

"It's my intention, in the next few months, to update my bulk-PR [pull request] generator to actually fix this vulnerability by automatically generating PRs for every one of these vulnerabilities I can find," Leitschuh told The Daily Swig.

This story has been updated with comment from security researcher Jonathan Leitschuh.

READ MORE Web admins urged to update Magento stores as first release line reaches end of life