|
|
|
|
|
|
by mirimir
3336 days ago
|
|
|
OK, it's explained in https://arstechnica.com/security/2017/05/the-hijacking-flaw-... The code compares the correct "hash and the hash response received from the browser, with N set to the length of the response received from the browser". So if the browser returns "", that's compared with the first zero characters in the correct hash, which is also "". Funny. |
|
|