GMS-2021-95: accounts: Hash account number using Salt

May 24, 2021

@alovak found that currently when we build hash of account number we do not “salt” it. Which makes it vulnerable to rainbow table attack.

What did you expect to see? I expected salt (some random number from configuration) to be used in hash.AccountNumber

I would generate salt per tenant at least (maybe per organization).

References

github.com/advisories/GHSA-g636-q5fc-4pr7
github.com/moov-io/customers/security/advisories/GHSA-g636-q5fc-4pr7

Detect and mitigate GMS-2021-95 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →