Description
The comparison functions were using strcmp which compares each character at a time checking for non-matches, at the first non-match it bails returning -1, 0 or 1. This is how timing attacks are formed.
@thegoleffect asked about whether this module was vulnerable to this kind of attack. I looked into it and believe it is.
Metadata
Metadata
Assignees
Labels
No labels