Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.
A recent analysis highlights the security risks associated with using Math.random() for generating API keys. The article explains that Math.random() is a pseudo-random number generator that can be exploited by attackers to predict future outputs. It recommends using more secure alternatives like crypto.randomBytes() to ensure better randomness and security for sensitive tokens.
- ▪Math.random() is a pseudo-random number generator that can be predicted if enough outputs are observed.
- ▪The use of Math.random() for generating API keys poses a significant security risk, as attackers can reconstruct the internal state and predict future keys.
- ▪The article suggests using crypto.randomBytes() or crypto.randomUUID() as safer alternatives for generating secure tokens.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3669992) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Ofri Peretz Posted on May 30 • Originally published at ofriperetz.dev Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo. #security #javascript #node #devsecops I found this in our benchmark corpus, extracted verbatim from Cal.com's Make integration setup (~44K GitHub stars): const apiKey = `cal_live_${Math.random().toString(36).substring(2)}`; Enter fullscreen mode Exit fullscreen mode An attacker who observes a handful of these keys can predict the…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
