pyspider icon indicating copy to clipboard operation
pyspider copied to clipboard

Potential Side Channel Attack on non-constant time Comparison

Open nevercodecorrect opened this issue 10 months ago • 1 comments

  • pyspider version: 0.3.10
  • Operating system: Ubuntu-22.04
  • Start up command:

Expected behavior

The vulnerable code is here, the password comparison should use a constant time algorithm

Actual behavior

The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended. A more detailed explanation could be found here

nevercodecorrect avatar Apr 07 '24 21:04 nevercodecorrect