Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code uses random number generators that are not cryptographically secure, such as random(), arc4random(), or Int.random(). These should not be used for generating secrets, tokens, or any values related to security.
Impact#
If insecure random number generators are used in security-sensitive contexts, attackers may be able to predict values like authentication tokens or cryptographic keys, leading to compromised user data, account takeovers, or other serious breaches.