GDColon / GDBrowser

A website that lets you browse all of Geometry Dash's online features, and more!
https://gdbrowser.com
MIT License
334 stars 160 forks source link

Is `XOR.js` secure? #222

Closed Rudxain closed 2 years ago

Rudxain commented 2 years ago

I haven't read the full source of the full repo, so I may be missing something. When XOR class functions are called to encrypt data, is the key salted with cryptographically secure random bytes? If not, then there's a security vulnerability in this repo. Maybe I'm exaggerating because AFAIK the website only stores sensitive data temporarily and locally, which means a simple XOR cipher may suffice if the key is not reused. So, is the key reused? or is it at least "random enough" per-session?

Please take into account that HDDs store data almost permanently. So an attacker with access to a user's local machine could recover bytes from the drive and use Vignere frequency analysis to decrypt passwords (no matter how old the data is). Of course this is only possible if the attacker has admin access to do a software-based recovery, or if they open the device to steal the drive physically. And this attack only works if the browser has cached some memory variable into the drive.

So, as long as all sensitive operations are done purely and explicitly in memory, this is probably safe I guess lol.

Apologies in advance if this Issue causes any inconveniences

GDColon commented 2 years ago

Haha, in this case XOR is only using to decrypt things from the game Geometry Dash. The game uses pretty weak crypto, but on the bright side that makes it easy to develop cool tools for it.

Rudxain commented 2 years ago

Oooh... now I get it [insert GIF of 2 colleague doctors where 1 finally understands something lol]. Thanks for clearing my doubts. That reminds me of the fact that RobTop's account management page uses HTTP instead of HTTPS. I hope the passwords are stored as hashes in the main server.

Update: found the GIF!