Categories: HackingSecurity

PHP hash comparison flaw is a risk for million users

New PHP vulnerability dubbed ‘Magic Hash’ being found by Robert Hansen (aka RSnake) of WhiteHat Security can enable attackers into breaching users’ accounts.

New vulnerability dubbed ‘Magic Hash’ being found by Robert Hansen (aka RSnake) of WhiteHat Security can enable attackers into breaching users’ accounts.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says.

VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

The problem occurs in the way hashed strings are handled by PHP when either “!=” or “==” (double equal) operators are being utilized to compare ‘em. Whenever any of these 2 operators gets to use for comparing the hashes, PHP interprets every hashed value that begins with the ‘0e’ with 0 as the value for it.

The issue mostly affects authentication, but it could also effect “forgot password” flows, nonces, binary checking, cookies, and passwords, among other things, Hansen, aka RSnake, told Dark Reading. “It totally depends on the website, and how it’s constructed.”

“Think of “0e…” as being the scientific notation for “0 to the power of some value” and that is always “0”, Hansen noted in a blog post Friday. “PHP interprets the string as an Integer.”

So take it as if two passwords are being hacked and the hashed values for both beings with ‘0e’ that’s followed with numerals, PHP is going to intercept both of them as having same value being 0. Despite the fact that hash values associated with these two passwords a different all together, still PHP would treat both as number 0 in case 0e is what with which they begin and whenever either ‘!=’ or ‘==’ are used.

There is no doubt that implications of the issue are huge, as it gives the attackers a way for trying and compromising users’ account simply by inserting a string of code that whenever hashed is equated to the 0 by PHP. Hansen said, if a password in the database is represented the same way, the attacker will get access to the account.

Hansen said, the problem itself has been known for at least a year. But what hasn’t been available are examples of hash types that when hashed begin with the ‘0e’ format that ends up getting equated to zero, he added further.

Hansen listed a decent number of “magic” numbers that can be used for the passwords, which whenever hashed, get treated as Zero by the PHP.

When such hashes are compared against the hashes of actual password, values that are also treated as 0 by PHP they end up getting evaluated as being equivalent, or true. In such cases attackers will be able to log into the account without the valid password, he said.

To find strings, he iterated more than one billion ‘hashed’ integers of various hash types such as SHA1 and MD5. Though the trick was not much sufficient it worked reasonably good to find string codes that triggered weakness for the most hash-algorithms having 32 characters (or less) as their length, stated Hansen in his blog.

Hansen stated he estimated the chances of a 32-character hash triggering the issue was somewhere in the range of 1 in 200 million. Now it might look like a low probability to many folks, but still, most of the times it’s enough for the attackers who go with trying and triggering the flaw – more specifically, websites with high volume of traffic or those who’ve a number of credentials.

He said, addressing the problem is very simple. Websites using PHP should analyze their code for hash comparisons in PHP using ‘==’ or ‘!= and change them to ‘===’ or ‘!==’ respectively, said Hansen.

Written by: Ali Qamar, Founder/Chief Editor at

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

Pierluigi Paganini

(Security Affairs –  PHP, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

2 hours ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

4 hours ago

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor…

5 hours ago

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

15 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

1 day ago

This website uses cookies.