This vulnerability was analyzed during Episode 189 on 20 February 2023
Some malformed hashes will “validate” with any value compared using password_verify
. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a $
character in the salt segment result in an early break
and bad following logic.