Users attempting to access the messaging platform Energate Messenger are being subjected to an unusual verification process requiring either JavaScript execution or the execution of a complex Perl command in a Linux terminal, according to reports surfacing this week.
The process, prominently displayed on the login page, deviates significantly from standard website authentication methods. Those without JavaScript enabled are presented with a lengthy Perl command designed to generate a specific output, which must then be pasted into a designated box on the website to gain access. The command itself includes base64 encoded text and references SHA256 hashing.
According to security experts, the Perl script utilizes the SHA256 hashing algorithm, a cryptographic hash function used for verifying data integrity. SHA256 generates a 256-bit signature for a text, meaning any alteration to the input data will result in a different hash value.
The Energate Messenger website is hosted by Plus.line AG, a company based in Germany. The company’s website states that JavaScript is required for access, offering the Perl command as an alternative. The purpose of this unconventional verification method remains unclear, raising concerns among security experts regarding potential vulnerabilities.
The reliance on a Perl script executed on a user’s local machine introduces potential risks, as the script’s integrity cannot be independently verified. The process appears to be a form of challenge-response authentication, but its implementation is unconventional.
Although SHA256 is a widely used hashing algorithm, some older algorithms like MD5 are now considered insecure. FreeFormatter.com provides a free online tool for computing message digests using various algorithms, including SHA256.
Digest authentication utilizing SHA-256 can present challenges in modern web browsers when not operating in a secure (HTTPS) context, as some browsers disable the necessary cryptographic functions. This is particularly relevant for systems with limited resources, such as those running on microcontrollers.
Leave a Reply