Potential security vulnerability disclosure #94
Description
Hi all,
MEXC's sdk requires a 256-bit key for its HMAC-SHA256 api request signing.
However, the secret key is a 32-characted hex string, whose utf-8 values are fed directly to the SHA algorithm.
This is insecure, as it only provides 128-bits (not 256!) of entropy, because each character in the string only has 16 possible options, aka 4 bits: 4*32= 128 bits of entropy.
Thus your API keys are only realistically 128-bits.
Solution:
It really should be 64 characters of hex that are parsed into 32 raw bytes, thus giving the full 256-bits of security that are desired.
Alternatively, 32 random bytes should be base 64 encoded and supplied to users to use as keys.
Thanks