List

An email popped up in my inbox recently from a Github project I watch. Normally it’s nothing too interesting, but this email was labeled as a security fix, a big deal in terms of bugs. The project is Vichan, a popular imageboard software used by a handful of websites, the largest of which being 8chan. Imageboards themselves are not malicious, but since there is no registration required to post, imageboards are appealing for less than ethical purposes. Notable examples include racist, homophobic, and gut-wrenching remarks littering 4chan & 8chan, and the revenge porn scene on Anon-IB, an imageboard almost dedicated to revealing private photos without permission.

Now back to Vichan. Included in Vichan is the ability to distinguish users apart with poster IDs. When a user makes a post, their IP address is put through an algorithm and a small ID is generated. This ID stays the same across multiple posts, making it easier to tell who is posting.

Security researcher @einaros was able to reverse this ID in order to determine the original IP address of the poster, which led to some interesting finds. If you are interested in what he found, check out this article at The Daily Beast.

This line from Vichan’s Github is how poster IDs are calculated:

return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']);

This seems to be pretty difficult to crack. The IP address is concatenated with the “secure_trip_salt” and concatenated with the thread number, that entire string is hashed, concatenated with the salt again, hashed again, and cut down to a small number of characters. How could someone have possibly cracked this?

Before February 8th, the Vichan install process was simple. Upload the files to your web server, go to /install.php, and fill out the form. The rest was done for you. However it had one problem, it used rand() to generate a “secure” salt.

$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);

The problem lies in PHP’s rand() function, which PHP says is to not be used for any secure process. PHP rand() relies on other non-random properties, as do most non-cryptographic random number generators, and has predictable outputs. It is very likely einaros was able to predict possible values for rand(), and therefore Anon-IB’s secure_trip_salt value.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Posts

1 2 3 4
February 28th, 2018

Concluding the February Challenge

Writing every day for the month of February has been an experience, and has changed my perspective on writing tremendously. […]

February 27th, 2018

Cloudflare2DB

Cloudflare stats are very useful, but they expire and can’t be tracked over a long period of time. That’s why […]

February 26th, 2018

Nightly Database Backups to Google Drive

If you have a Google Apps account (a business account with more than 5 users or one provided by your […]

February 25th, 2018

Sublime Text

Sublime Text is a really powerful text editor and includes tons of functionality relevant to programming. I will dive into […]

February 24th, 2018

Great Resources for Student Developers

Being enrolled in a university comes with its pros and cons (a topic itself worthy of many other blog posts), […]

February 23rd, 2018

What is MVC?

MVC is a term thrown around lots of software development projects. Laravel, Zend, CodeIgniter, Ruby on Rails, Django, iOS, and […]

February 22nd, 2018

Getting Started With Phalcon PHP

To get started with Phalcon, I already have my server stack setup with Ubuntu 16.04, Percona MySQL, Nginx, and PHP […]

February 21st, 2018

What is Phalcon?

Phalcon is a modern PHP framework with the typical feature set you’d expect. Database ORM, error handling, MVC architecture, and […]

February 20th, 2018

Setting Up a PHP Development Environment

If you do PHP development, moving to a PHP IDE is extremely beneficial especially when debugging. PHPStorm is a great […]