If you don't know, then you aren't the target audience.
But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.
> If you don't know, then you aren't the target audience.
If you do know, then you also know md5 being broken is really really old news.
Seriously. Cryptographers have been warning that md5 seems weak since 1996. There are probably people reading this thread who weren't even alive yet. (It got totally broken in 2004 but the warning signs were way earlier).
> system under some very obscure set of circumstances that you are very unlikely to encounter in the real world.
Is there any way to use HN karma? Like, can I sell my account on some shady exchange like people sell big twitter accounts? And if I can, what's the going rate for internet points these days? Asking for an unscrupulous friend.
After, sometimes, the initial scanning, the security and AV industry deals with file hashes, not actual files. This means that if you wrote a legitimate, harmful program, and a malicious version with the same hash, you would be able to troll the security rolls in many cases. Basically, those two files would look the same to the security program.
The thing that makes this blog post not realistic is:
* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.
* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.
> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
That's only true if you ignore all the details.
As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.
WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.
So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.
lisper|5 months ago
But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.
bawolff|5 months ago
If you do know, then you also know md5 being broken is really really old news.
Seriously. Cryptographers have been warning that md5 seems weak since 1996. There are probably people reading this thread who weren't even alive yet. (It got totally broken in 2004 but the warning signs were way earlier).
alkonaut|5 months ago
Is there any way to use HN karma? Like, can I sell my account on some shady exchange like people sell big twitter accounts? And if I can, what's the going rate for internet points these days? Asking for an unscrupulous friend.
integralid|5 months ago
The thing that makes this blog post not realistic is:
* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.
* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.
But it's still a fun PoC.
chipsrafferty|5 months ago
h4ck_th3_pl4n3t|5 months ago
0points|5 months ago
That's only true if you ignore all the details.
As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.
WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.
So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.
Source: https://developer.wordpress.org/reference/functions/wp_hash_...
IshKebab|5 months ago
> Can use it bypass some cached webshell detections.