|
|
|
|
|
|
by kbwt
2586 days ago
|
|
|
The application is using a proprietary client/server protocol, so it already lacks lacks any kind of interoperability. In this specific case, it's unclear whether the bug has direct security implications. The broken SHA-1 is used on some user-controlled data that gets XORed onto the server's decryption of a user-specified payload before being passed into an RC4 key schedule. It's certainly plausible that this might produce a server-assisted privacy compromise of other users' sessions. |
|
|