Direct link to Proton Wallet Encryption Vulnerability and ex-Monero dev comment.
Direct link to Predictable Passwords in SelfPrivacy
The issue was fixed the day after Proton Wallet release. Next time, please say this upfront to avoid misleading people.
4 Likes
The problem is with Proton deliberately choosing Random() which generated a non secure pseudo random number instead of using Random.secure() which actually generates cryptographically secure numbers. This is a rookie mistake, actually rookies are even thought about it in crypto 101 fundamentals.
Mistakes like this shouldn’t be taken lightly, it lowers my trust in Proton significantly as they supposedly already have experience with several security apps like Proton Pass and they are a multi-million dollar company.
I also suggesting reading it fully before calling someone misleading people
August 15, 2024 — After getting a bounty and also the green light to discuss the bug with others, we discovered that the PRNG was only 32 bit on mobile platforms. That made some brute-force attacks feasible.
2 Likes
This is a mistake, but not a crucial one. While PRNGCS are important d’or safety, using a standard PRNG in itself isn’t going to lead to a breach.
Look, everyone makes mistake. I believe Ente did the same, but auditis and public codes help make it better.
Yeah, it’s not great, but I don’t see it as the end of the world.
1 Like
Crypto software MUST be mistake-free.
1 Like
It is. It just wasn’t for 24 hours, on an Early Access platform