An email popped up in my inbox recently from a Github project I watch. Normally it’s nothing too interesting, but this email was labeled as a security fix, a big deal in terms of bugs. The project is Vichan, a popular imageboard software used by a handful of websites, the largest of which being 8chan. Imageboards themselves are not malicious, but since there is no registration required to post, imageboards are appealing for less than ethical purposes. Notable examples include racist, homophobic, and gut-wrenching remarks littering 4chan & 8chan, and the revenge porn scene on Anon-IB, an imageboard almost dedicated to revealing private photos without permission.
Now back to Vichan. Included in Vichan is the ability to distinguish users apart with poster IDs. When a user makes a post, their IP address is put through an algorithm and a small ID is generated. This ID stays the same across multiple posts, making it easier to tell who is posting.
Security researcher @einaros was able to reverse this ID in order to determine the original IP address of the poster, which led to some interesting finds. If you are interested in what he found, check out this article at The Daily Beast.
This line from Vichan’s Github is how poster IDs are calculated:
return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']);
This seems to be pretty difficult to crack. The IP address is concatenated with the “secure_trip_salt” and concatenated with the thread number, that entire string is hashed, concatenated with the salt again, hashed again, and cut down to a small number of characters. How could someone have possibly cracked this?
Before February 8th, the Vichan install process was simple. Upload the files to your web server, go to /install.php, and fill out the form. The rest was done for you. However it had one problem, it used rand() to generate a “secure” salt.
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
The problem lies in PHP’s rand() function, which PHP says is to not be used for any secure process. PHP rand() relies on other non-random properties, as do most non-cryptographic random number generators, and has predictable outputs. It is very likely einaros was able to predict possible values for rand(), and therefore Anon-IB’s secure_trip_salt value.
Leave a Reply