During a security audit of one of my old websites, I discovered a potential vulnerability related to timing attacks, specifically in the Forgot Password feature.
A timing attack is a sophisticated way to circumvent security
mechanisms and discover vulnerabilities by studying how long it takes
the system to respond to different inputs [1]
The vulnerability is related to our use of PHPMailer
. When a user requests a password reset, the system shows a “false-positive” notification, the same notification as when the user exists. The issue is that the PHPMailers
send function causes a noticeable time difference between the two, which allows users to detect which user email is valid or not.
These are some of the ideas I have come so far to deal with the issue:
-
Send an email to the user, even if it’s not a valid email in the database, with a message informing that a request was sent, but the email is not found in the database and whether they want to create one. This one comes with a caveat since this can be abused by sending random people spammy emails, and to counter this, a more aggressive rate limit would have to be implemented.
-
Send the request using
JavaScript
and show the notification before emailing. This one requires more changes to the existing system, so I prefer to avoid it.
Any insights or suggestions on how to achieve this would be greatly appreciated.