Weak Cryptography Seed

The effectiveness of a cryptographically-secure pseudorandom number generator is heavily reliant upon the seed. This initial “seed” value must be derived from a random source. A predicable seed value can permit an attacker to discern output.

Exploitation

Applications are often dependent upon random number generators to help create default/reset passwords. In this scenario, an attacker can take advantage of poorly seeded randomness to predict passwords.

An attacker will utilize an account under their control gain access to a sample-set of passwords. They can then use offline brute forcing techniques that attempt to identify insecure randomness; not a trivial task. Once the attacker can successfully predict the output random password generator, they can subsequently attempt to gain access to other user accounts.

Remediation

The effectiveness of cryptography is heavily reliant upon secure implementation. To avoid common pitfalls, ensure that all documentation for the selected API is thoroughly reviewed before use. Ensure that all initial seeds embedded within the logic are derived from random/unpredictable sources.