The vulnerable code is here, the password comparison should use a constant time algorithm
Actual behavior
The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended.
A more detailed explanation could be found here
Expected behavior
The vulnerable code is here, the password comparison should use a constant time algorithm
Actual behavior
The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended. A more detailed explanation could be found here