Skip to content

Instantly share code, notes, and snippets.

@defuse
Created May 12, 2018 01:59
Show Gist options
  • Save defuse/6c5d6e857abce50400195ccd006c71ad to your computer and use it in GitHub Desktop.
Save defuse/6c5d6e857abce50400195ccd006c71ad to your computer and use it in GitHub Desktop.
Insecure code that's visually identical to secure code.
let KEY = new Uint8Array(16);
function generate_key() {
let KEY = new Uint8Array(16);
window.crypto.getRandomValues(KEY);
return KEY;
}
KEY = generate_key();
document.body.innerText = KEY;
@pgeffen
Copy link

pgeffen commented May 12, 2018

I can see two different KEYs. Look closely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment