pyspider
pyspider copied to clipboard
Potential Side Channel Attack on non-constant time Comparison
- pyspider version: 0.3.10
- Operating system: Ubuntu-22.04
- Start up command:
Expected behavior
The vulnerable code is here, the password comparison should use a constant time algorithm
Actual behavior
The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended. A more detailed explanation could be found here