search

DivineOmega / password_exposed

🔒 Password Exposed Helper Function - Check if a password has been exposed in a data breach.
GNU Lesser General Public License v3.0
213 stars 34 forks source link

SHA1 hashes are publicly exposed in the cache dir #8

Closed symm closed 6 years ago

symm commented 6 years ago

It's possible to recover the SHA1 of every password checked in the last 30 days by browsing the /tmp/password-exposed-cache folder.

Example

<?php

require_once(__DIR__ . '/vendor/autoload.php');

const DEMO_PASSWORD = 'WdBNSvWGnovprIe92mn4w3oinmWFxkbTHffqf8S8dUhYmNnbNjLJnUS1M7N6gVZ';

$passwordStatus = password_exposed(DEMO_PASSWORD);

echo 'Using a demo password of ' . DEMO_PASSWORD . ' with SHA1 ' . sha1(DEMO_PASSWORD) . PHP_EOL;
echo 'Status is: ' . $passwordStatus;

Output:

➜ password_exposed git:(master) ✗ php play.php Using a demo password of WdBNSvWGnovprIe92mn4w3oinmWFxkbTHffqf8S8dUhYmNnbNjLJnUS1M7N6gVZ with SHA1 604c4b2521a23ccd21572619e84a895e4153d88a Status is: not_exposed

➜ password_exposed git:(master) ✗ tree /tmp/password-exposed-cache /tmp/password-exposed-cache └── 60 └── 4c4b2521a23ccd21572619e84a895e4153d88a.cache

1 directory, 1 file

PR changes to caching the API response instead.

DivineOmega commented 6 years ago

Definitely agree with the idea behind this. Thanks for the suggestion. We don't want to expose the SHA1 of every password checked in the cache directory.

I'd prefer to use the existing PSR-6 caching though. So rather than caching full requests via Guzzle middleware, I'd like to just cache the response body, and change the cache key to be only the first 5 characters of the SHA1.

DivineOmega commented 6 years ago

I'm continuing this in PR #9.