Open hammad93 opened 7 months ago
sudo ntpdate pool.ntp.org
to synchronize time. May need to install ntpdate first.
The hardware (RTC) clock is different from the system clock, here's how to synchronize. https://askubuntu.com/questions/175452/hwclock-not-in-sync-with-system-clock
Exploit works if it's running on a VM but not though a container because things like Docker don't let you change the system time inside the container.
Inside a container from things like Docker, we could use https://github.com/wolfcw/libfaketime but doing this on an already running process may not be possible.
currently, we get the current time using Python's built-in timestamp which uses the system time.
this app should work even if someone changes the system time on the machine.
this issue tracks the ability to use SSL and time providers to validate timestamps. this should be default but there must be methods to toggle between the two.
let's say you have something set to expire in a week. someone who has root access to the VM the API is running on can change the system time to unlock the code.
although this is a critical exploit, there are workarounds, and the original design was going to do this anyway (reference https://github.com/hammad93/time_crypt/tree/00509f375d70fee353c226d91c633baa32910ac4 ) plus this requires access to the VM.
because the intent of the secret is both others and yourself, and if you have access to the VM, then it conflicts with the intent.