simple-passport
simple-passport copied to clipboard
Security issue
Hello,
I came across your simple-passport package in the laravel-news community links. I came across a small security issue while reviewing the code. In the following two places it’s possible for an attacker to use a timing attack because the token comparison is not done in constant time. This article has some great background info on how timing attacks work. To mitigate this risk you can use the hash_equals function instead.
https://github.com/heloufir/simple-passport/blob/351a363f31cb592b23165afd4218e8e9a34229bd/src/Http/Controllers/PasswordController.php#L42
https://github.com/heloufir/simple-passport/blob/1.5.2/src/Helpers/TokenHandler.php#L29
Big thanks to Matthew Allan ([email protected])
- Matt