[user5994461]

https://github.com/laie/WorldsFirstSha2Vulnerability

Work by a random dude who pretends to find infinite collision so bad that he can't publish it.

No math. No explanation.

The code is a mix of single letter variables with hardly any comment.

Thank you, I'll pass.

[jstanley]

The code sets up a sha256 state, then adds some input to sha256, and then demonstrates that the sha256 state is the same as it was.

I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but it's a vulnerability.

EDIT: All of this modulo a rigged sha256.py, of course

[lisper]

Yes, but the rigged sha256 seems to produce the same results as a real sha256. And there's nothing obviously hinky in the code that I can see on cursory inspection. If this is rigged, it's rigged in a particularly clever way.

[UPDATE] Turns out this is not a vulnerability at all:

https://crypto.stackexchange.com/questions/48580/fixed-point...

[user5994461]

You can google for existing sha256 collisions, nothing special in hard coding one.

Google it and you'll find the source, if it's a popular collision already published in papers.

[lisper]

I think you're confusing SHA256 with SHA1.