Websites from Google, Microsoft, Yahoo and those based on Java appear vulnerable to hash collisions, according to researchers.
According to SC Magazine, researcher Daniel Bernstein said the popular MurmurHash algorithm was vulnerable, as was a hash used by Python, Google's CityHash and Microsoft's .Net Marvin32 hash. “Some applications, practically every string that you hash has some fixed first byte which means you'll have all of those strings piling up on a certain link list, no matter how many [lists] you have,” he told the magazine.
“You can have the world's most amazing hash function [but] reduce it to the size of the hash table and suddenly the attacker can find collisions by trying a million inputs, of which one has a value of say zero … after reasonable computation, the attacker has piled up thousands of string with a hash value of zero,” he says.
“The question isn't where are hashes used, it is where aren't they used – just about every real-world application has them somewhere.”
Bernstein and others are recommending the use of SipHash 2.4, a 128 bit algorithm, that is ten times as fast as SHA-3.