Password tokens easily predicted by PoC exploit
Use of a cryptographically weak pseudo random number generator (PRNG) in certain versions of JHipster Kotlin poses a risk for developers.
JHipster is an open source package that’s used to generate web applications and microservices. The base framework only works with Java, but JHipster Kotlin makes it compatible with Kotlin, a more modern cross-platform programming language.
Problems with PRNGs often crop up as problems in the development of secure systems. The effect of the recently resolved issue on JHipster Kotlin is more extreme than most.
The security weakness makes it possible for an attacker to generate a password reset email and, using that token, predict others’ password reset tokens.
This bug opens the door up to range of potential attacks, including the possibility of requesting an administrator’s password reset token in order to take over a privileged account.
Hackers have developed a proof of concept exploit that involves “taking one RNG value generated RandomStringUtils and reversing it to generate all of the past/future RNG values public since March 3rd, 2018”.
The problem arises because JHipster Kotlin relies upon Apache Commons Lang 3 RandomStringUtils to handle PRNGs and this technology is insecure.
Fortunately, a ready fix is available. Developers are advised to update generated applications to JHipster Kotlin 1.2.0 or above or, failing that, to apply workarounds as detailed in a recent advisory on GitHub.