Critical Bug in Codeforces: Broken AES encryption results in 403 Forbidden Error. (Solution)

#	User	Rating
1	tourist	4009
2	jiangly	3831
3	Radewoosh	3646
4	jqdai0815	3620
4	Benq	3620
6	orzdevinwang	3529
7	ecnerwala	3446
8	Um_nik	3396
9	gamegame	3386
10	ksun48	3373

#	User	Contrib.
1	cry	164
1	maomao90	164
3	Um_nik	163
4	atcoder_official	160
5	-is-this-fft-	158
6	awoo	157
7	adamant	156
8	TheScrasse	154
8	nor	154
10	Dominater069	153

After investigating an issue resulting in a 403 error when trying to access codeforces as described in this blog: https://codeforces.net/blog/entry/80065

I believe I have found the issue and the solution.

Codeforces uses a "slow aes" decryption function to require users to perform a non-trivial amount of computational work before they can access the site, presumably to protect against malicious users spamming the server. A parameter is given based on the user's IP address and the user must decrypt using this to generate a RCPC token in order to access the site.

Those experiencing the 403 error likely are victims of a bug that causes the last 2 characters (last byte in binary) to be deleted. You can confirm this by checking your RCPC token in your cookies. This token should be 32 characters, but is only 30 if you experience this bug.

The aes javascript implementation is from here: https://codeforces.net/aes.min.js

I believe the issue is with the function "unpadBytesOut". In the image below I am logging the "bytesOut" variable, which stores the final token, before and after this function.

                console.log("BEFORE" ,bytesOut.toString(), bytesOut.length);
                this.unpadBytesOut(bytesOut);
                console.log("AFTER" ,bytesOut.toString(), bytesOut.length);

Console Log

As you can see, in this particular case, the last byte has been deleted by this function. I have found that around 8% of randomly generated aes parameters (the one based on your ip) has this issue.

If you are having this issue, download the javascript and run it locally, after removing the line calling this function. I am also happy to generate the token for anyone who has difficulty doing it themselves. If you send me your response from codeforces.com without redirects and I can send you the corrected token. If you're on linux or max for example, you can send me the response to the command "curl codeforces.com". Note that this token won't compromise the security of your account as I believe it is purely to protect again a DDOS by verifying the IPs.

I hope MikeMirzayanov can get this fixed as soon as possible.

Rev.	By	When	Δ	Comment
en6	prophet_	2020-07-14 12:23:51	198
en5	prophet_	2020-07-14 09:44:35	279	UPD: The issue has been fixed!
en4	prophet_	2020-07-14 00:35:41	16
en3	prophet_	2020-07-13 07:33:44	3	Tiny change: 'our ip) have this issu' -> 'our ip) has this issu'
en2	prophet_	2020-07-13 06:59:20	220
en1	prophet_	2020-07-13 06:54:17	2209	Initial revision (published)

Rev.

Lang.

When

Comment

en6