Forgot Password Timing Attacks [closed]

10 viewsphpphpmailer
0

During a security audit of one of my old websites, I discovered a potential vulnerability related to timing attacks, specifically in the Forgot Password feature.

A timing attack is a sophisticated way to circumvent security
mechanisms and discover vulnerabilities by studying how long it takes
the system to respond to different inputs [1]

The vulnerability is related to our use of PHPMailer. When a user requests a password reset, the system shows a “false-positive” notification, the same notification as when the user exists. The issue is that the PHPMailers send function causes a noticeable time difference between the two, which allows users to detect which user email is valid or not.

These are some of the ideas I have come so far to deal with the issue:

  1. Send an email to the user, even if it’s not a valid email in the database, with a message informing that a request was sent, but the email is not found in the database and whether they want to create one. This one comes with a caveat since this can be abused by sending random people spammy emails, and to counter this, a more aggressive rate limit would have to be implemented.

  2. Send the request using JavaScript and show the notification before emailing. This one requires more changes to the existing system, so I prefer to avoid it.

Any insights or suggestions on how to achieve this would be greatly appreciated.