Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability with use of timing-sensitive comparison! #22

Open
rlittlefield opened this issue Oct 15, 2018 · 0 comments
Open

Critical vulnerability with use of timing-sensitive comparison! #22

rlittlefield opened this issue Oct 15, 2018 · 0 comments

Comments

@rlittlefield
Copy link

https://github.com/chregu/GoogleAuthenticator.php/blob/master/lib/GoogleAuthenticator.php#L31

The checkCode generator currently uses == to compare the user-provided code to the system generating code. It should be switched to use PHP's hash_equals function, which is able to perform the comparison in a way that does not leak timing data.

http://php.net/manual/en/function.hash-equals.php

This is important because the 30 second TOTP window is likely enough to make many attempts to validate a code. Because the project isn't under active maintenance, I would suggest adding a line to the readme referring people to a different TOTP library, such as:

https://github.com/Spomky-Labs/otphp
@RobThree RobThree mentioned this issue Mar 11, 2019
Closed
Argevollen added a commit to Argevollen/GoogleAuthenticator.php that referenced this issue May 12, 2019
@Argevollen
Update GoogleAuthenticator.php
cccc3a3 
Closes chregu#22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rlittlefield