Clarification on Potential Privacy Violation in pdfmake.min.js - Social Security Numbers?
Clarification on Potential Privacy Violation in pdfmake.min.js - Social Security Numbers?
iamalon1434
Posts: 2Questions: 0Answers: 0
Hello,
We are using the pdfmake.min.js library in our application (Koha open-source software). During a security review, our team identified a potential privacy violation flagged as "Social Security Numbers" due to the presence of the following numbers in the file:
1732584193, 4023233417, 2562383102, 271733878
These numbers appear in the following part of the code:
w[i]=4294967296*r.abs(r.sin(i+1))|0}();var _=y.MD5=g.extend({_doReset:function _doReset(){this._hash=new p.init([1732584193,4023233417,2562383102,271733878])},
[o]=i[o];for(i[0]=i[0]+1295307597+this._b|0,i[1]=i[1]+3545052371+(i[0]>>>0<g[0]>>>0?1:0)|0,i[2]=i[2]+886263092+(i[1]>>>0<g[1]>>>0?1:0)|0,i[3]=i[3]+1295307597+(i[2]>>>0<g[2]>>>0?1:0)|0,i[4]=i[4]+3545052371+(i[3]>>>0<g[3]>>>0?1:0)|0,i[5]=i[5]+886263092+(i[4]>>>0<g[4]>>>0?1:0)|0,i[6]=i[6]+1295307597+(i[5]>>>0<g[5]>>>0?1:0)|0,i[7]=i[7]+3545052371+(i[6]>>>0<g[6]>>>0?1:0)|0,this._b=i[7]>>>0<g[7]>>>0?1:0,o=0;o<8;o++){var u=r[o]+i[o],p=65535&u,w=u>>>16,_=((p*p>>>17)+p*w>>>15)+w*w,x=
We would like to understand:
* What is the purpose of these specific numbers in the code?
* Are these numbers indeed Social Security Numbers, or are they unrelated (e.g., used for cryptographic or hashing purposes)?
Any clarification on this matter would be greatly appreciated, as we need to address this concern for compliance purposes.
Thank you!
Replies
pdfmake is a third party library. I would ask the authors.
https://pdfmake.github.io/docs/0.1/
I checked the four numbers you provide above:
https://www.ssn-check.org/
The numbers are either too long for an SSN or just invalid. Hence: No SSNs, I guess. But the authors will know more about it.
Thank you for the quick response.
I think that is an unfortunate artifact of the fact that SSNs are a 9 digit number. There will inevitably be other uses for those numbers!
In this case, the plain source for pdfmake uses:
As you can see these are hex numbers, and are used as part of their MD5 hashing algorithm. There is no intent to use them as SSNs in the pdfmake.
The fact that they aren't event valid SSNs, as @rf1234 points out, suggests that the security team have seen a "long number" and made an assumption without actually looking at the use case, the code, or attempting to understand what is going on. Sounds like they've run a script rather than actually looking for issues.
Allan