Hi Team,
First of all, thanks for taking the time to read this.
I was looking for timing attacks in public repositories and find a security issue similar to a previous one https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/1089 but in another code section:
A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack. I think that hash_equals() could be used instead. It's seems that this portion of code is part of the legacy _password_verify_sha1_legacy function so I don't know if you want to fix it or not, but only want to notice you.
Hi Team, First of all, thanks for taking the time to read this. I was looking for timing attacks in public repositories and find a security issue similar to a previous one https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/1089 but in another code section:
A simple strict equals sign
===
is used for hash comparison, which is vulnerable to timing attack. I think thathash_equals()
could be used instead. It's seems that this portion of code is part of the legacy_password_verify_sha1_legacy
function so I don't know if you want to fix it or not, but only want to notice you.Have a great week, Thanks!