First installment of the Security Breach Spotlight, pycrypto and it's branch pycryptodome and the vulnerability that impacted them.
Cryptographic Weaknesses in PyCrypto and PyCryptodome: A Hidden Security Threat
Cryptographic security is essential in modern applications, but vulnerabilities in widely used Python libraries like PyCrypto and its successor PyCryptodome have put encrypted data at risk.
One major issue has been the use of weak pseudo-random number generators (PRNGs), which can lead to predictable encryption keys. Additionally, some implementations of padding schemes, such as PKCS#7, have been found vulnerable to padding oracle attacks, where attackers can infer sensitive information by manipulating ciphertexts and observing system responses.
These flaws can allow an attacker to decrypt sensitive data without ever knowing the encryption key.
The most significant problem with PyCrypto is that it has been deprecated since 2015, meaning any discovered vulnerabilities remain unpatched. While PyCryptodome was created as a maintained fork, older versions still inherited security flaws from PyCrypto.
Developers relying on these libraries without updating or implementing additional security measures risk exposing their applications to brute-force decryption, session hijacking, and data breaches. The failure to use cryptographically secure random number generation further exacerbates these risks, making it easier for attackers to predict encrypted outputs.
To mitigate these security concerns, developers should avoid using PyCrypto entirely and ensure they are using the latest version of PyCryptodome. Even better, they should opt for more modern libraries like Python’s cryptography module, which is regularly updated and follows best practices for secure encryption. Additionally, ensuring proper random IV generation, implementing constant-time cryptographic comparisons, and using authenticated encryption modes (such as AES-GCM) can significantly reduce the risk of cryptographic attacks.
As security threats continue to evolve, developers must stay vigilant in choosing and maintaining their libraries to protect sensitive data. This is exactly what we do here at Protean Labs, help you maintain those libraries by identifying security threats for you.