[GH-ISSUE #1109] Token generation may be vulnerable to Modulo Bias #784

New issue

Closed

opened 2026-03-03 02:03:11 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 02:03:11 +03:00

Owner

Originally created by @zyuiop on GitHub (Aug 22, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1109

Modulo Bias is an issue with random numbers generators where some numbers have a higher chance to be found than others. See an article about this bias and how to avoid it here: https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/

Here is the line where the bias arises:
github.com/dani-garcia/bitwarden_rs@eba22c2d94/src/crypto.rs (L67)

From what I saw in the code, this seems to be used (only?) for two factor authentication, so this may not be very problematic.

Originally created by @zyuiop on GitHub (Aug 22, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1109 Modulo Bias is an issue with random numbers generators where some numbers have a higher chance to be found than others. See an article about this bias and how to avoid it here: https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/ Here is the line where the bias arises: https://github.com/dani-garcia/bitwarden_rs/blob/eba22c2d9429b9f9bad5baff9b1d571b469645c9/src/crypto.rs#L67 From what I saw in the code, this seems to be used (only?) for two factor authentication, so this may not be very problematic.

kerem closed this issue

2026-03-03 02:03:11 +03:00

kerem commented

2026-03-03 02:03:12 +03:00

Author

Owner

@dani-garcia commented on GitHub (Aug 22, 2020):

This shouldn't be a problem in practice as long as users don't configure the token generation to be over 16 or so:
For example using a 16 digit length, the numbers at the start would have 1844 chances to appear (2^64 / 10^16), while the ones at the end would have 1855 which is basically close enough to random for this case I think.

But yeah using the max of 19 would give the first numbers in the range 50% more chance to appear, so I think we should at the very list make the limit lower.

@dani-garcia commented on GitHub (Aug 22, 2020): This shouldn't be a problem in practice as long as users don't configure the token generation to be over 16 or so: For example using a 16 digit length, the numbers at the start would have 1844 chances to appear (2^64 / 10^16), while the ones at the end would have 1855 which is basically close enough to random for this case I think. But yeah using the max of 19 would give the first numbers in the range 50% more chance to appear, so I think we should at the very list make the limit lower.

kerem referenced this issue

2026-03-03 08:53:08 +03:00

[PR #784] [MERGED] Use Debian base image for all steps of the build process #2799