Pylons horus services.py timing discrepancy

Vulnerability

A timing discrepancy vulnerability exists in the login method of the AuthenticationService class in horus/flows/local/services.py. The original code used a direct string comparison (user.password != password) which is not constant-time, allowing an attacker to infer password characters based on response time variations. All versions prior to the patch commit fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec are affected [1].

Exploitation

An attacker must have network access to the authentication endpoint and the ability to measure response times with sufficient precision. By sending a series of password guesses and analyzing the time taken for each response, the attacker can deduce the correct password character by character. The attack is considered difficult due to network noise and the need for precise timing measurements.

Impact

Successful exploitation allows an attacker to recover a user's password, leading to unauthorized access to the application. The primary impact is information disclosure of credentials, potentially resulting in full account compromise.

Mitigation

The vulnerability is fixed by applying commit fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec, which replaces the non-constant-time comparison with a constant-time function is_equal that uses hmac.compare_digest when available, or a custom implementation that avoids short-circuit evaluation [1]. No workarounds are documented; applying the patch is recommended.