From Ars Technica:
There’s a vulnerability in Master Lock branded padlocks that allows anyone to learn the combination in eight or fewer tries, a process that requires less than two minutes and a minimal amount of skill to carry out.
The exploit involves lifting up a locked shackle with one hand while turning the combination dial counterclockwise starting at the number 0 with the other. Before the dial reaches 11, there will be three points where the dial will resist being turned anymore. One of them will be ignored as it is exactly between two whole numbers on the dial. The remaining two locations represent locked positions. Next, an attacker again lifts the locked shackle, this time with less force, while turning the dial clockwise. At some point before a full revolution is completed, the dial will resist being turned. (An attacker can still turn through it but will physically feel the resistance.) This location represents the resistance location. The two locked positions and the one resistance position are then recorded on a Web page that streamlines the exploit.
The page responds with the first digit of the combination and two possible digits for the last digit. By testing which of the possible last digits has more “give,” an attacker can quickly figure out which one is correct. By eliminating the false digit from the Web form, the page will automatically populate the eight possible numbers for the second digit of the combination. Now that the attacker knows the first and last digits and knows the second digit is one of eight possible numbers, the hack is a simple matter of trying each possible combination until the correct one opens the lock. The following video provides a simple tutorial.
[embedded content] Break open any Master Combo Lock in 8 tries or&hellip