Dart Pointycastle Argon2 Weak Memory
Description
This vulnerability detector identifies weak Argon2 password hashing configurations in Dart applications using the pointycastle or argon2 libraries. Weak Argon2 configurations can be susceptible to brute force attacks due to insufficient memory cost parameters, making password hashes easier to crack.
Detection Strategy
• The detector is triggered when the pointycastle or argon2 package is imported in Dart code
• It looks for function calls that match Argon2 derivation method patterns (methods ending with specific suffixes that indicate key derivation)
• The first argument of these function calls must contain password-related content (identified by naming patterns or context)
• The Argon2 configuration must use weak parameters, specifically insufficient memory cost settings that make the hashing vulnerable to attacks
Vulnerable code example
import 'dart:typed_data';
import 'package:pointycastle/export.dart';
void weakArgon2(Uint8List password, Uint8List salt) {
final gen = Argon2BytesGenerator();
gen.init(Argon2Parameters(
Argon2Parameters.ARGON2_id,
salt,...✅ Secure code example
import 'dart:typed_data';
import 'package:pointycastle/export.dart';
void secureArgon2(Uint8List password, Uint8List salt) {
final gen = Argon2BytesGenerator();
gen.init(Argon2Parameters(
Argon2Parameters.ARGON2_id,
salt,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.