"except for checking that two 32-bit hashes were the same length"
Not quite. It only checks the entered password against the stored password but checking length is what it didn't do. The result is, if I enter a password of one character it checks that character against the first character of the stored password, essentially. This means, without any altering of the login at all you can just type through the alphabet until it grants access. People have been talking about how the ME system is a terrible security concept for years but they didn't care, and they won't start now. I read one guy said they likely leaked this as an excuse to disable the new ME remover technique with an "update."

Reply via email to