Skip to content

md5 is not secure for password storage

Moderate
RockChinQ published GHSA-36cc-58vm-wm4h Dec 28, 2024

Package

No package listed

Affected versions

<1.0.1

Patched versions

1.0.2

Description

Issue Description:
In the provided code, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise.

Risk:
Using MD5 for password hashing significantly weakens the security of the application, making it susceptible to brute force and rainbow table attacks. This could lead to unauthorized access to user accounts and sensitive data.

Recommendation:
Replace MD5 with a secure, modern hashing algorithm such as bcrypt, Argon2, or PBKDF2.

code is at:

config.headers['Authorization'] = "Bearer " + md5(getPassword());

Severity

Moderate

CVE ID

CVE-2024-56516

Weaknesses

Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). Learn more on MITRE.

Credits