Security Issue: Potential timing attack when using '===' to compare password hashes

[dvicedo]

Hi Team, First of all, thanks for taking the time to read this. I was looking for timing attacks in public repositories and find a security issue similar to a previous one https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/1089 but in another code section:

• https://github.com/benedmunds/CodeIgniter-Ion-Auth/blob/72352dffdce438ab8fb929ea9c62134919b488e3/models/Ion_auth_model.php#L2779

A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack. I think that hash_equals() could be used instead. It's seems that this portion of code is part of the legacy _password_verify_sha1_legacy function so I don't know if you want to fix it or not, but only want to notice you.

Have a great week, Thanks!

[benedmunds]

Great catch, thanks for this! Updated here: https://github.com/benedmunds/CodeIgniter-Ion-Auth/commit/f08cd919e79d6783d24583cb30008d7c6c640d40