joola.io: Timing Attack Side-Channel on API Token Verification

2014-10-12T18:17:52
ID H1:31167
Type hackerone
Reporter voodookobra
Modified 2014-10-25T18:11:13

Description

https://github.com/joola/joola/blob/develop/lib/dispatch/users.js#L514

Because tokens are compared with the === operator, this may be susceptible to timing attacks. More info: http://codahale.com/a-lesson-in-timing-attacks/

This is probably not the lowest hanging fruit for an attacker, but it's something you might want to fix. :)

Replacement utility: https://github.com/cryptocat/cryptocat/blob/32fd02f8d899e219a004281eb0ce364cb52dd62a/src/core/js/lib/otr.js#L145-L152