{"title":"Timing Attack via Naive String Comparison in Authentication Tokens","language":"Python","severity":"High","cwe":"CWE-208","source_lines":[6],"flow_lines":[6,7],"sink_lines":[7],"vulnerable_code":"import hashlib\nfrom flask import request, jsonify\n\ndef verify_iot_device_signature(device_id):\n    stored_sig = get_device_signature_from_hsm(device_id)\n    incoming_sig = request.headers.get('X-Device-Signature')\n    if incoming_sig == stored_sig:\n        return jsonify({'status': 'authorized', 'device': device_id})\n    return jsonify({'status': 'unauthorized'}), 401\n\ndef get_device_signature_from_hsm(dev_id):\n    return hashlib.sha256(f'device_{dev_id}_secret_key'.encode()).hexdigest()","explanation":"The code uses naive string comparison (==) to verify cryptographic signatures, which performs character-by-character comparison and returns False as soon as a mismatch is found. This creates measurable timing differences that attackers can exploit to reconstruct valid signatures byte-by-byte through statistical analysis of response times.","remediation":"The fix replaces the naive string comparison operator (==) with hmac.compare_digest(), which performs constant-time comparison regardless of where characters differ. This eliminates timing side-channel information that attackers could use to reconstruct valid device signatures byte-by-byte. An additional None check is added to handle missing headers gracefully before the comparison.","secure_code":"import hashlib\nimport hmac\nfrom flask import request, jsonify\n\ndef verify_iot_device_signature(device_id):\n    stored_sig = get_device_signature_from_hsm(device_id)\n    incoming_sig = request.headers.get('X-Device-Signature')\n    if incoming_sig is None:\n        return jsonify({'status': 'unauthorized'}), 401\n    if hmac.compare_digest(incoming_sig, stored_sig):\n        return jsonify({'status': 'authorized', 'device': device_id})\n    return jsonify({'status': 'unauthorized'}), 401\n\ndef get_device_signature_from_hsm(dev_id):\n    return hashlib.sha256(f'device_{dev_id}_secret_key'.encode()).hexdigest()"}