Manifest Password Hashing Vulnerability Prior to 4.9.2

A cryptographic weakness exists in Manifest versions prior to 4.9.2, where user passwords are hashed using SHA3 without a salt. This flaw increases the risk of password cracking if an attacker accesses the database, as identical passwords across different users produce the same hash. The absence of a salt allows attackers to recognize and exploit patterns, speeding up the cracking process. Version 4.9.2 addresses this vulnerability by replacing the SHA3 hashing with bcrypt, which includes a salt.

Impact

The vulnerability's impact lies in the weak password hashing, which can lead to easier cracking of user passwords. This flaw affects all users of the system, as the lack of unique salts in password hashing diminishes protection against database breaches. Attackers can exploit this weakness to crack passwords more efficiently, especially if identical passwords are used by different users, resulting in the same hash.

Reproduction

To reproduce this vulnerability, create two user accounts with the same password. Afterward, extract the password hashes from the database and verify that the hashes are identical, confirming the lack of unique salts in the hashing process.

Remediation

Users can update to Manifest version 4.9.2 or later, which addresses the vulnerability by implementing bcrypt hashing with salt. Instructions for updating can be found in the project's release notes.