IdentityServer3.AspNetIdentity icon indicating copy to clipboard operation
IdentityServer3.AspNetIdentity copied to clipboard
verified publisher icon IdentityServer

Timing attack vulnerability

Open kezakez opened this issue 9 years ago • 0 comments

AuthenticateLocalAsync is vulnerable to a timing attack. In IdentityServer3 the LoginLocal route can give away what accounts exist when used with AspNetIdentityUserService. When using a bad password entering an account that exists responds more quickly than an account that doesn't.

See https://github.com/IdentityServer/IdentityServer3/pull/3423/commits/130acc0111fbe67b5c0f45c5048188bbabab0362 for an simple example of how to fix.

kezakez avatar Dec 21 '16 11:12 kezakez