Page MenuHomePhorge

Possible plain text content leak in getTxnId()
Closed, ResolvedPublic

Description

getTxnId() uses the event content to calculate a *non-cryptographic* hash and uses it in the transaction id that is to be *sent to the server*.

In some cases, the event content might not be encrypted (i.e. it is called with a non-encrypted event). A malicious server may find some patterns in the transaction id, and thus it may exploit this problems to try to attack the cipher.

We should make it that the event content is not used in the calculation of the transaction id.

Also, we should release ASAP.

Event Timeline

tusooa raised the priority of this task from Needs Triage to Unbreak Now!.
tusooa created this object with visibility "the Kazv Project (Project)".
tusooa created this object with edit policy "the Kazv Project (Project)".
tusooa changed the visibility from "the Kazv Project (Project)" to "Public (No Login Required)".