this post was submitted on 16 Jun 2025
1552 points (99.6% liked)

Programmer Humor

24262 readers
1580 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
 

Original post: infosec.exchange (glitch-soc (Mastodon fork))

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 22 points 12 hours ago (4 children)

Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.

[–] [email protected] 2 points 2 hours ago* (last edited 1 hour ago)

The code is sent as part of a payload to the front-end for local validation

[–] [email protected] 29 points 11 hours ago (1 children)

what if 435841 is the most secure 6 digit numerical code?

why use another?

[–] [email protected] 13 points 10 hours ago (2 children)

I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)

[–] [email protected] 2 points 1 hour ago

This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.

[–] [email protected] 10 points 12 hours ago

It probably just always displays the one code.

[–] [email protected] 3 points 12 hours ago

Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.