Cow Vulnerabilities and Exposures (CVEs)

A side channel vulnerability in the handling of shy cows' names allowed an attacker to deduce the shy cow's name by submitting crafted names and analyzing the position of the shy cow in the herd. By observing how the position of a newly submitted cow related to other cows in the herd, the attacker could perform a binary search to reveal censored names of shy cows. This could violate the privacy expectations of shy cows in the herd.

Successful exploitation could result in the exposure of shy cows' names that were intended to remain private. No data corruption or denial of service is possible via this vector, but the privacy of the herd is at risk.

This vulnerability affects both the main https://moooo.farm/ web interface as well as the API endpoints available under https://moooo.farm/api.

All versions before the fix commit and after the cow characters were introduced.

Patched in commit c23046b80b14eca192e1574b7a97fd2934208e2b.

The patch ensures that the sorting logic no longer leaks information about the shy cows' names via the cows' position in the list, making such side channel attacks infeasible. No action is required for existing cows or new cows.

As of the date of this advisory, there is no evidence that this vulnerability was ever exploited in the wild or at the farm. The issue was discovered internally during a routine code review and has only theoretical impact. No user-reported incidents or suspicious activity related to this vulnerability have been observed.