Is this a zip encryption bug?
Clash Royale CLAN TAG#URR8PPP
I have recently discovered an exploit, where I(or assuming anyone) can re-encrypt my encrypted zip file without having to know the password:
#zip --encrypt encrypted.zip -r dir1/
The above will prompt the user to enter a new password. Is there something I'm missing, or is this a known issue?
encryption zip
asked Dec 18 at 19:42
lamino
7415
add a comment |
I have recently discovered an exploit, where I(or assuming anyone) can re-encrypt my encrypted zip file without having to know the password:
#zip --encrypt encrypted.zip -r dir1/
The above will prompt the user to enter a new password. Is there something I'm missing, or is this a known issue?
encryption zip
asked Dec 18 at 19:42
lamino
7415
5
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
16
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53
add a comment |
I have recently discovered an exploit, where I(or assuming anyone) can re-encrypt my encrypted zip file without having to know the password:
#zip --encrypt encrypted.zip -r dir1/
The above will prompt the user to enter a new password. Is there something I'm missing, or is this a known issue?
encryption zip
asked Dec 18 at 19:42
lamino
7415
I have recently discovered an exploit, where I(or assuming anyone) can re-encrypt my encrypted zip file without having to know the password:
#zip --encrypt encrypted.zip -r dir1/
The above will prompt the user to enter a new password. Is there something I'm missing, or is this a known issue?
encryption zip
encryption zip
asked Dec 18 at 19:42
lamino
7415
asked Dec 18 at 19:42
lamino
7415
asked Dec 18 at 19:42
lamino
7415
asked Dec 18 at 19:42
lamino
7415
asked Dec 18 at 19:42
lamino
7415
7415
5
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
16
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53
add a comment |
5
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
16
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53
5
5
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
16
16
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53
add a comment |
1 Answer
1
active
oldest
votes
Zip archives can have multiple passwords for different contained files. Files within an archive are essentially independent of each other - they are compressed without regard for other files, and they are encrypted in the same fashion. Your encrypted.zip will have two (or more) encrypted segments, one with your original password and one with the new one.
Trying to unzip the file would prompt for both passwords:
$ unzip ../test.zip
Archive: ../test.zip
[../test.zip] file1 password:
inflating: file1
inflating: file2
[../test.zip] newfile password:
inflating: newfile
The directory, the listing of file names, is not encrypted. This is not a bug, though it can be confusing and not all zip tools handle the situation well (particularly graphical tools).
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
@Stobor on a related note, the.7zarchive format has the option to encrypt the directory listing as well as the files.
– user3490
Dec 19 at 18:56
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489757%2fis-this-a-zip-encryption-bug%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Zip archives can have multiple passwords for different contained files. Files within an archive are essentially independent of each other - they are compressed without regard for other files, and they are encrypted in the same fashion. Your encrypted.zip will have two (or more) encrypted segments, one with your original password and one with the new one.
Trying to unzip the file would prompt for both passwords:
$ unzip ../test.zip
Archive: ../test.zip
[../test.zip] file1 password:
inflating: file1
inflating: file2
[../test.zip] newfile password:
inflating: newfile
The directory, the listing of file names, is not encrypted. This is not a bug, though it can be confusing and not all zip tools handle the situation well (particularly graphical tools).
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
@Stobor on a related note, the.7zarchive format has the option to encrypt the directory listing as well as the files.
– user3490
Dec 19 at 18:56
add a comment |
Zip archives can have multiple passwords for different contained files. Files within an archive are essentially independent of each other - they are compressed without regard for other files, and they are encrypted in the same fashion. Your encrypted.zip will have two (or more) encrypted segments, one with your original password and one with the new one.
Trying to unzip the file would prompt for both passwords:
$ unzip ../test.zip
Archive: ../test.zip
[../test.zip] file1 password:
inflating: file1
inflating: file2
[../test.zip] newfile password:
inflating: newfile
The directory, the listing of file names, is not encrypted. This is not a bug, though it can be confusing and not all zip tools handle the situation well (particularly graphical tools).
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
@Stobor on a related note, the.7zarchive format has the option to encrypt the directory listing as well as the files.
– user3490
Dec 19 at 18:56
add a comment |
Zip archives can have multiple passwords for different contained files. Files within an archive are essentially independent of each other - they are compressed without regard for other files, and they are encrypted in the same fashion. Your encrypted.zip will have two (or more) encrypted segments, one with your original password and one with the new one.
Trying to unzip the file would prompt for both passwords:
$ unzip ../test.zip
Archive: ../test.zip
[../test.zip] file1 password:
inflating: file1
inflating: file2
[../test.zip] newfile password:
inflating: newfile
The directory, the listing of file names, is not encrypted. This is not a bug, though it can be confusing and not all zip tools handle the situation well (particularly graphical tools).
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
Zip archives can have multiple passwords for different contained files. Files within an archive are essentially independent of each other - they are compressed without regard for other files, and they are encrypted in the same fashion. Your encrypted.zip will have two (or more) encrypted segments, one with your original password and one with the new one.
Trying to unzip the file would prompt for both passwords:
$ unzip ../test.zip
Archive: ../test.zip
[../test.zip] file1 password:
inflating: file1
inflating: file2
[../test.zip] newfile password:
inflating: newfile
The directory, the listing of file names, is not encrypted. This is not a bug, though it can be confusing and not all zip tools handle the situation well (particularly graphical tools).
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
answered Dec 18 at 20:00
Michael Homer
45.6k8121160
45.6k8121160
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
@Stobor on a related note, the.7zarchive format has the option to encrypt the directory listing as well as the files.
– user3490
Dec 19 at 18:56
add a comment |
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
@Stobor on a related note, the.7zarchive format has the option to encrypt the directory listing as well as the files.
– user3490
Dec 19 at 18:56
2
2
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
Counter-intuitive but Interesting feature. Thanks for clarifying
– lamino
Dec 18 at 20:10
14
14
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
The directory, the listing of file names, is not encrypted - this is why situations where the directory listing is also sensitive often have the original files zipped unencrypted into a zip file, which is then zipped and encrypted into another zip file. Then the only thing that is visible without the password is the name of the inner zip file.
– Stobor
Dec 19 at 5:40
2
2
@Stobor on a related note, the
.7z archive format has the option to encrypt the directory listing as well as the files.– user3490
Dec 19 at 18:56
@Stobor on a related note, the
.7z archive format has the option to encrypt the directory listing as well as the files.– user3490
Dec 19 at 18:56
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489757%2fis-this-a-zip-encryption-bug%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
Have you found a way to read the data in the original zip file?
– ctrl-alt-delor
Dec 18 at 20:24
@ctrl-alt-delor yes I didn't forget my password, I realised this by accident
– lamino
Dec 18 at 20:40
16
Sorry I meant, Have you found a way to read the data in the original zip file, without knowing the password?
– ctrl-alt-delor
Dec 18 at 20:53