Far From Random: Three Mistakes From Dart/Flutter's Weak PRNG | Zellic — Research
A look into how an unexpectedly weak PRNG in Dart led to Zellic's discovery of multiple vulnerabilities
Hasnain says:
This was a really cool read. Had to leave the part before the tldr though because that response time puts us all to shame.
“Timeline and Conclusion
The bug was reported August 23, 2024, and it was acknowledged after only 21 minutes, asking to verify their proposed fix. After acknowledging, a new release↗ was pushed a few minutes later.
Long Story Short
These three issues were all caused by the same root cause; the usage of a non-cryptographically secure PRNG. All of the bugs were exacerbated by the unexpected low entropy in the Flutter PRNG, where the internal seeds are just 32 bits. We showed practical attacks that will recover secrets within a reasonable time and how they led to attacks on Flutter developers, users of the Proton Wallet mobile application, and users of SelfPrivacy.”
Posted on 2024-12-14T07:34:52+0000