Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.

1 / 2

Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.

DEV Community: javascript·Ofri Peretz·3 days ago

#q71fU1lc

#dev #random #math #fullscreen #crypto #article

Reading 0:00

15s threshold

I found this code in calcom/cal.diy (~44K GitHub stars), the open-source scheduling platform — apps/web/components/apps/make/Setup.tsx , line 38: const apiKey = `cal_live_ ${ Math . random (). toString ( 36 ). substring ( 2 )} ` ; Enter fullscreen mode Exit fullscreen mode Given a handful of consecutive cal_live_ keys generated by the same process, an attacker can predict the next one. Not guess — predict. Here is why, and the ESLint rule that catches this pattern in 3 seconds. Why Math.random() is dangerous for tokens Math.random() is a pseudo-random number generator — fast, but deterministic. Given V8's initial seed, its entire output sequence is fixed. An attacker who observes enough outputs can recover the 128-bit internal state and predict every future call. // What you write: const token = Math . random (). toString ( 36 ). substring ( 2 ); // V8 uses xorshift128+ under the hood.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.