Bouncy Castle Authentication Bypass Vulnerability Threat Intel Advisory

CloudSEK threat intelligence advisory on Bouncy Castle authentication bypass flaw, CVE-2020-28052, allows attackers to evade password checks.
Updated on
April 19, 2023
Published on
December 29, 2020
Subscribe to the latest industry news, threats and resources.
Vulnerability Intelligence
Authentication Bypass 
Bouncy Castle API 1.65/1.66
Affected Platforms
Java/C# .NET applications
  CVSS Score: 8.1 [High] Bouncy Castle is a popular Java library to implement cryptographic functionalities in applications. It supports C# and .Net platforms. Recently, an authentication bypass vulnerability was detected in one of the classes handling Bcrypt hashing and is tracked as CVE-2020-28052. The vulnerability discovered in the OpenBSDBcrypt class has a logical issue in computing the hash matching that allows attackers to evade password checks to bypass authentication into the application. Given below is the code snippet from the form validation method doCheckPassword. It implements a flawed routine to check for the password hash against the stored hash.    [caption id="attachment_9186" align="alignnone" width="652"]Vulnerable Code Vulnerable Code[/caption]   Once the attacker bypasses the password check, they don't need a byte-for-byte match with the stored hash value, which enables authentication bypass. Attackers use brute force attacks to crack passwords until the bypass is triggered. Here’s a list of major applications that use BouncyCastle (Versions that are not verified):
  • Google Messages
  • Netflix
  • Wish App
  • Samsung Email
  • Xiomi File Manager
  • PhonePe 
  • Amazon Alexa


  • Applications using Bouncy Castle 1.65 or 1.66 are vulnerable to authentication bypass vulnerability.
  • Attackers can bypass the authentication mechanism implemented by the affected Bouncy Castle library in the application.
  • Authentication bypass can lead to unauthorized information disclosure 
  • Bcrypt hashing based authentications are widely used in web applications and APIs, this vulnerability compromises the security of such systems if not checked.


Bouncy Castle 1.67 (released 11/1/2020) provides a fix for this vulnerability.  [Versions prior to 1.65 are not affected] 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations