Observable Timing Discrepancy in http-signature
Cxa6b1c6b3-0f59
- http-signature
Summary
Http-signature prior to 1.0.0 is vulnerable to Timing Attacks against the signature verification. The library performs strict equality comparison (`===`) to validate the signatures. This built-in JavaScript comparison works by comparing the values character by character, meaning the comparison returns in different amounts of time depending on how many characters match. This can be used to guess the valid signature one character at a time. The issue was mitigated by double-hashing before comparing values.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-208 - Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
References
Advisory Timeline
- Published
