Due to a loophole in the Bouncy Castle crypto-API, attackers could remove the password check and thus attack websites more effectively with brute force attacks. A secured version is available for download.

The error can be found in the OpenBSDBcrypt class, which is based on the Bcrypt algorithm for saving passwords puts. If this is used on a website, for example, passwords are usually optimally protected against hacker attacks.

Authentication bypass An attacker tries to guess passwords by randomly trying out combinations of characters a thousand times, for example to log into the admin area , Bcrypt intervenes.

By performing many iterations of hash operations, the algorithm deliberately demands a lot of resources for a password countercheck. In terms of time, an attacker can only try comparatively few passwords per second and brute force attacks are not effective.

Because of the error, attackers could bypass this check, security researchers from Synopsys warn in an article. According to them, the vulnerability classified as ” high ” concerns (CVE – 2020 – 28052) only the Bouncy Castle versions 1. 65 and 1. 66. The issue 1. 67 is repaired.

(of)