~ethanmad/bouts.app#2: 
Fix models userService.Authenticate registered users timing side-channel

#What is the issue?

userService.Authenticate in models has a timing side-channel which reveals registered users due to the early return if the us.ByEmail call returns a non-nil error.

#Why is this a problem?

This leaks information about which users are registered. Authenticate returns the same error (ErrInvalidLogin) for not-found email address and for incorrect password, so fixing this side-channel and issue #1 will stop this leakage of user information. See OWASP's cheat sheet for more details.

#How to fix it?

Don't have an early exit in Authenticate, as shown in the OWASP cheat sheet:

password_hash=HASH(password)
IS_VALID=LOOKUP_CREDENTIALS_IN_STORE(username, password_hash)
IF NOT IS_VALID THEN
   RETURN Error("Invalid Username or Password!")
ENDIF

#When should this be fixed?

Before production.

#Other information

This is not experience-breaking, and a very common side-channel which would be difficult to measure anyway due to variable latency and network speeds.

Status
REPORTED
Submitter
~ethanmad
Assigned to
No-one
Submitted
4 years ago
Updated
4 years ago
Labels
priority:low type:security