Original post: infosec.exchange (glitch-soc (Mastodon fork))
this post was submitted on 16 Jun 2025
1636 points (99.6% liked)
Programmer Humor
24287 readers
633 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
what if 435841 is the most secure 6 digit numerical code?
why use another?
I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)
https://xkcd.com/221/
This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.
The hitech world was crazy back then, I programmed the DS with some similar hack made by some dude on the internet. Fun times.
It probably just always displays the one code.
Maximized efficiency at the expense of security. Can happen to anyone.
The code is sent as part of a payload to the front-end for local validation
Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.