Possible Security Bug?

CWebUser lines 460-462:

		if($cookie && !empty($cookie->value) && is_string($cookie->value) && ($data=$app->getSecurityManager()->validateData($cookie->value))!==false)



If a user can authenticate with cookie based authentification, he gains neccessary information to brute force the secret key used by CSecurityManager. Application security is dependant on an algorithm - because anyone with this key could possibly create a cookie with any data, which is directly passed to unserialize, i.e. arbitrary code execution. So my question is - how safe is this private key? Do we have a guarantee that it won’t be brute forced by our users?

Any thoughts appreciated.

P.S. Not sure if this is the correct place to post this :)

I think that such security concerns should be first discussed privately with the core developers, try contacting them. Don’t post an issue on Github either.

I was about to ask how such bruteforce attack on the secret key could be performed, but let’s wait for some core devs comment first.