amerhendy / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Fix for timing attacks against OAuth.php #178

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I've made a patch for OAuth.php that implements the recommended style of 
constant-time string comparison to fix the timing attack problem described 
here: 
http://thenextweb.com/socialmedia/2010/07/17/oauth-and-openid-authentication-vul
nerable-to-timing-attack/

I've done some testing and it seems to mitigate the problem, but someone with 
security expertise should review this. Use at your own risk.

Original issue reported on code.google.com by zcop...@gmail.com on 17 Jul 2010 at 9:40

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 4:29

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r1258.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:16

GoogleCodeExporter commented 9 years ago
Sorry, misprinted the issue-number in the commit message. I will look at this 
later though.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:17

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r1259.

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:34