Java Snippet #02
Bookmarked!This challenge covers the review of a snippet of code written in Java
The Code Review Snippet challenges provide small snippets of vulnerable code for you to analyze and identify issues. In this challenge, we focus on a Java class named Otp
that generates one-time passwords (OTPs). The class uses the Random
class from java.util
to generate a four-digit OTP by appending random digits in a loop.
A key issue with this approach is that java.util.Random
is not suitable for cryptographic purposes, making the OTPs predictable. Additionally, the static Random
object is reused, meaning that consecutive OTPs can potentially be predicted if the internal state of the random generator is known. This combination of a weak random generator and static state reuse exposes the system to security vulnerabilities, allowing attackers to predict previous or future OTPs.