Listen to this Post
The time-based enumeration vulnerability in PrestaShop’s Front Office (FO) login form exploits differential response times during user authentication. When a login request is submitted, the application processes the input to validate credentials. For existing user accounts, the system performs a database lookup and subsequent password verification, which introduces a measurable delay. In contrast, for non-existent accounts, the application may return an error immediately, resulting in a faster response. An attacker can automate a series of login attempts with potential usernames or email addresses, precisely measuring the time taken for each response. Using tools like curl with time metrics, the attacker sends POST requests to the authentication endpoint. By analyzing the response times across multiple attempts, statistical anomalies can indicate whether an account exists. This side-channel attack bypasses typical login failure messages that do not disclose account validity. The vulnerability is present in the authentication logic where user existence is checked before comprehensive validation, creating a timing discrepancy. Attackers can leverage this to enumerate valid customer accounts without triggering immediate security alerts. Successful enumeration enables targeted attacks such as credential stuffing or brute force on known accounts. The issue stems from insecure coding practices that do not implement constant-time algorithms for user lookup and authentication. Mitigation requires ensuring that all login paths, including for invalid users, take uniform time to complete, regardless of account existence.
Platform: PrestaShop
Version: Before 8.2.4, 9.0.0-9.0.2
Vulnerability : Time-based user enumeration
Severity: Moderate
date: Feb 3 2026
Prediction: Expected patch Feb 3
What Undercode Say:
!/bin/bash
Bash command to demonstrate time-based enumeration via curl
for user in $(cat wordlist.txt); do
response_time=$(curl -o /dev/null -s -w ‘%{time_total}’ -X POST –data “email=$user&password=wrong” http://target.com/login)
echo “$user: $response_time”
done
how Exploit:
Automate login requests with wordlist, measure response times, compare delays to identify valid accounts.
Protection from this CVE
Update to patched versions 8.2.4 or 9.0.3; implement constant-time authentication checks.
Impact:
Account enumeration leading to targeted attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

