Category: Business Logic
Optimizable PasswordManager check
Medium Severity
Medium Impact
High Likelihood
Description
The Fuelet wallet checks user passwords and PINs by first hashing it with SHA-256 then attempting to decrypt a known value with AES-GCM. This operation is highly optimizable and parallelizable, and the low-entropy PIN can be discovered by an attacker with the ciphertext in seconds.
This validation is performed in fuelet_secure_layer/packages/fuelet_secure_layer/lib/src/features/ password/password_manager.dart:
const _secretToEncrypt = 'fuelet_secure_layer_secret_kmr_wpu0XFM4uaq3kym';
// ...
String _hashPassword(String password) {
final bytes = utf8.encode(password);
return sha256.convert(bytes).toString();
}
// ...
Future<String> _createPasswordSecret(String password) {
final passwordHash = _hashPassword(password);
return Aes256Gcm.encrypt(_secretToEncrypt, passwordHash);
}
Impact
This issue allows an attacker to quickly discover the user's password or PIN.
Recommendations
The Fuelet team should use a secure hash function such as Argon2 or Scrypt to hash the password.