Disposition: Privacy / broken de-identification (no external attacker). Analogue of metalama/Metalama#1654.
Affected code
Core/PostSharp.Compiler.Settings/User/PerUsageLicensing/TypeHasher.cs:13-26 - FNV-1a, hashSizeInBits = 32, no salt/keyCore/PostSharp.Compiler.Settings/User/PerUsageLicensing/TypeHash.cs - stored as intUserInterface/PostSharp.Settings/Ceip/UploadManager.cs:185-216 - PrepareTypeHashesForUpload
Description
Per-usage license telemetry "anonymizes" customer type full-names with an unsalted, unkeyed 32-bit FNV-1a hash, then uploads it (encrypted in transit) to the vendor. Because the hash is non-cryptographic, 32-bit, unsalted, and the preimages are low-entropy guessable CLR type names, the receiving server can reverse it (precompute / brute-force the 2^32 space against a name wordlist), recovering the customer's proprietary type names that the hashing was meant to conceal. Not MITM-exploitable (the payload is encrypted) - the weakness is against the vendor/recipient.
Recommendation
If true de-identification is intended, use a wide cryptographic hash keyed/salted with a per-customer secret the server never receives (HMAC-SHA-256 with a locally-generated, never-uploaded salt); or drop per-type granularity and upload only per-license aggregate counts/LOC. At minimum, document in the privacy notice that per-usage type identifiers are sent in a reversible-hashed form.
Backward compatibility
The .psbin format is internal telemetry plumbing; changing the hash needs a coordinated server-side decoder update but no public API/IL/MSBuild/pipe break.
Resolution
The per-usage (metered) license is no longer supported, so the per-usage telemetry has been removed entirely - PostSharp no longer collects, hashes, or uploads type names. A fix is in progress.
Disposition: Privacy / broken de-identification (no external attacker). Analogue of metalama/Metalama#1654.
Affected code
Core/PostSharp.Compiler.Settings/User/PerUsageLicensing/TypeHasher.cs:13-26- FNV-1a,hashSizeInBits = 32, no salt/keyCore/PostSharp.Compiler.Settings/User/PerUsageLicensing/TypeHash.cs- stored asintUserInterface/PostSharp.Settings/Ceip/UploadManager.cs:185-216-PrepareTypeHashesForUploadDescription
Per-usage license telemetry "anonymizes" customer type full-names with an unsalted, unkeyed 32-bit FNV-1a hash, then uploads it (encrypted in transit) to the vendor. Because the hash is non-cryptographic, 32-bit, unsalted, and the preimages are low-entropy guessable CLR type names, the receiving server can reverse it (precompute / brute-force the 2^32 space against a name wordlist), recovering the customer's proprietary type names that the hashing was meant to conceal. Not MITM-exploitable (the payload is encrypted) - the weakness is against the vendor/recipient.
Recommendation
If true de-identification is intended, use a wide cryptographic hash keyed/salted with a per-customer secret the server never receives (HMAC-SHA-256 with a locally-generated, never-uploaded salt); or drop per-type granularity and upload only per-license aggregate counts/LOC. At minimum, document in the privacy notice that per-usage type identifiers are sent in a reversible-hashed form.
Backward compatibility
The
.psbinformat is internal telemetry plumbing; changing the hash needs a coordinated server-side decoder update but no public API/IL/MSBuild/pipe break.Resolution
The per-usage (metered) license is no longer supported, so the per-usage telemetry has been removed entirely - PostSharp no longer collects, hashes, or uploads type names. A fix is in progress.