hackergandhi
commented
2 weeks ago @Hackerjatti32 please test this changes carefully
Open hackergandhi opened 2 weeks ago
hackergandhi
commented
2 weeks ago @Hackerjatti32 please test this changes carefully
Hackerjatti32
commented
2 weeks ago @Hackerjatti32 please test this changes carefully
Yeah @hackergandhi, there doesn’t seem to be any issue with the new function, and the tool is working properly with it as well
hackergandhi
commented
2 weeks ago now what??
why you open this issue again?
Hackerjatti32
commented
2 weeks ago @Hackerjatti32 please test this changes carefully
Hi @hackergandhi
After testing carefully the latest commit, I encountered a significant issue related to password decryption when the master password is updated. Here's the detailed explanation:
When we initially store a password for a service (e.g., a service named "gandhi"), the password is encrypted using a salt that is derived from the current master password. If the master password is later updated, the salt also changes. This creates a problem when we try to retrieve previously stored passwords.
For example, after storing a password for the "gandhi" service, I changed the master password. Due to this, the salt was regenerated. Now, when I attempt to retrieve the "gandhi" service's password, the application fails with the following error:
🔍 Enter the service name you wanna retrieve: gandhi
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/cryptography/fernet.py", line 134, in _verify_signature
h.verify(data[-32:])
cryptography.exceptions.InvalidSignature: Signature did not match digest.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/gandhi/Desktop/Targets/lockboxxtreme/main/main.py", line 261, in <module>
main()
File "/home/gandhi/Desktop/Targets/lockboxxtreme/main/main.py", line 217, in main
decrypted_password = decrypt_message(encrypted_password.encode(), key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/gandhi/Desktop/Targets/lockboxxtreme/main/./encryptor.py", line 55, in decrypt_message
return f.decrypt(encrypted_message).decode()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/cryptography/fernet.py", line 91, in decrypt
return self._decrypt_data(data, timestamp, time_info)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/cryptography/fernet.py", line 152, in _decrypt_data
self._verify_signature(data)
File "/usr/local/lib/python3.11/dist-packages/cryptography/fernet.py", line 136, in _verify_signature
raise InvalidToken
cryptography.fernet.InvalidTokenThis error occurs because the encryption key, derived from the new salt, does not match the key used to encrypt the password initially (when the old master password was in use). The decryption process fails since the data's signature does not match the new key, leading to an InvalidToken exception.
This issue causes the application to abort when attempting to retrieve any passwords stored before the master password was updated. It makes the stored data inaccessible and could potentially lead to a loss of critical information.
To resolve this, we might need to implement a mechanism to re-encrypt all stored passwords with the new salt when the master password is changed. Alternatively, we could store the salt used for each password separately and use that specific salt for decryption.
Please let me know if further information is needed or if there are any other aspects you'd like me to test.
Best regards,
hackerjaati32
i3hz
commented
2 weeks ago Hello , sorry I was busy for the last couple days, couldn't use my computer Also do you guys have discord or anything?
hackergandhi
commented
2 weeks ago hi @Hackerjatti32
Thanks for identifying this low-severity issue in the new update on this project. You'll be rewarded with a $25 bounty, but to receive it, you'll need to resolve the bug yourself. After committing the fix, please provide detailed information on what changes you made to the code file
Hackerjatti32
commented
2 weeks ago hi @Hackerjatti32
Thanks for identifying this low-severity issue in the new update on this project. You'll be rewarded with a $25 bounty, but to receive it, you'll need to resolve the bug yourself. After committing the fix, please provide detailed information on what changes you made to the code file
hi @hackergandhi thanks for this, i'll try my best to resolve this error
Hackerjatti32
commented
2 weeks ago Hello , sorry I was busy for the last couple days, couldn't use my computer Also do you guys have discord or anything?
@i3hz Nope
Hackerjatti32
commented
2 weeks ago Hi @hackergandhi,
I was trying to resolve this error, but doing so is creating other errors. I will work on fixing this bug as quickly as possible, but it might take a few more days.
hackergandhi
commented
2 weeks ago hi @Hackerjatti32
don't worry, take your time
hackergandhi
commented
2 weeks ago Hi @Hackerjatti32 Is there any update? I am trying to introduce new features in this tool, but I am stuck on this problem. Please patch the error in the current files; otherwise, I will cancel the bounty amount
Hackerjatti32
commented
1 week ago Hi @hackergandhi Yeah, I resolved that bug, but I found another one, which I'm now trying to fix
Hi @hackerjatti32 and @i3hz,
I've introduced a new function in our project and committed the changes with the following: ac1f657 and c63db54. Please review these commits and let me know if you notice any issues or potential improvements that I should address.
Summary of Changes:
1) New Functionality:
Function:
update_master_password()Purpose: This function allows users to update their master password securely. It updates the stored salt and re-encrypts all stored passwords with the new master password.
2) Files Modified:
encryptor.py:update_encryption_key()to handle the re-encryption of passwords with the updated key.storage.py:storage.py. It already manages saving and loading passwords, which will continue to function with the updated key.main.py:Please take a look and let me know if you encounter any issues or have any suggestions for improvement.
Thanks!