Saturday, 16 July 2011

Another issue with the .NET Random class

OK, maybe it is just me, but I was not aware that the random class was not Thread Safe (I was aware that it is recommended that you don't create a new Random object on every use).

I just documented my findings/experience at the O2 Blog and, I have to say that I have the feeling that there are a number of security vulnerabilities out there created by this behaviour (think of an multi-thread environment which receives a lot of traffic and uses the Random class for session/key/token/id generation).

And since it requires a certain number of requests/threads to trigger the problem, it might not be easy to detect, debug and/or replicate (note that Random doesn't fail safely... i.e. once the race condition is triggered, it will just return 0).

Here are a couple projects that (look like they) use the Random class:$&type=cs

1 comment:

DragonnDev said...

You shouldn't be using the Random class to generate sessionID's, tokens or anything else that is sensitive. You should be using the thread safe & more secure RNGCryptoServiceProvider class.