simple-passport icon indicating copy to clipboard operation
simple-passport copied to clipboard

Published 20 hours ago verified publisher icon heloufir

Security issue

Open heloufir opened this issue 5 years ago • 0 comments

Hello,

I came across your simple-passport package in the laravel-news community links. I came across a small security issue while reviewing the code. In the following two places it’s possible for an attacker to use a timing attack because the token comparison is not done in constant time. This article has some great background info on how timing attacks work. To mitigate this risk you can use the hash_equals function instead.

https://github.com/heloufir/simple-passport/blob/351a363f31cb592b23165afd4218e8e9a34229bd/src/Http/Controllers/PasswordController.php#L42

https://github.com/heloufir/simple-passport/blob/1.5.2/src/Helpers/TokenHandler.php#L29

Big thanks to Matthew Allan ([email protected])

  • Matt

heloufir avatar Apr 21 '19 14:04 heloufir