Security Vulnerabilities Stemming from Dart/Flutter's Weak PRNG
Zellic's research uncovered multiple security vulnerabilities caused by a weak pseudorandom number generator (PRNG) in Dart/Flutter. A flaw in the initialization of the `Random()` function within the Dart SDK resulted in insufficient entropy in generated keys, making them susceptible to brute-force attacks. This allowed attackers to easily gain access to the Dart Tooling Daemon, enabling them to read or write workspace files and even execute arbitrary code. Furthermore, Proton Wallet and SelfPrivacy projects were also affected by this weak PRNG, experiencing encryption vulnerabilities and predictable password issues, respectively. While the vulnerability has been patched, developers are urged to exercise caution when using the `Random()` function and utilize `Random.secure()` when cryptographically secure random numbers are required.
Read more