Java Snippet #02
This challenge covers the review of a snippet of code written in Java
The Code Review Snippet challenges provide small snippets of vulnerable code for you to analyze and identify issues. In this challenge, we focus on a Java class named Otp that generates one-time passwords (OTPs). The class uses the Random class from java.util to generate a four-digit OTP by appending random digits in a loop.
A key issue with this approach is that java.util.Random is not suitable for cryptographic purposes, making the OTPs predictable. Additionally, the static Random object is reused, meaning that consecutive OTPs can potentially be predicted if the internal state of the random generator is known. This combination of a weak random generator and static state reuse exposes the system to security vulnerabilities, allowing attackers to predict previous or future OTPs.