This article was published on July 17, 2010

OAuth and OpenID Authentication Vulnerable To “Timing Attack”

OAuth and OpenID Authentication Vulnerable To “Timing Attack”

Authentication systems employed by large websites such as Twitter and Digg could be at risk after researchers have discovered a basic flaw that could crack a large number of open-source software libraries wide open leaving a users personal details and passwords open to attack.

The flaw was highlighted by ComputerWorld, who reported that researchers Nate Lawson and Taylor Nelson could use a well-known but difficult technique known as a “timing attack” to gather passwords from systems that utilized standards such as OAuth and OpenID.

Robert McMillian at ComputerWorld explains how Lawson and Nelson would successfully employ the technique so well, we couldn’t possibly do any better:

The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

By submitting signatures again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct digital signature.

The attack lets someone masquerade as a legitimate Web site user without actually having to log in.

It was assumed that because the internet would make it almost impossible to get precise results, a timing attack would not succeed because traffic response times would always fluctuate. Lawson and Nelson proved those theories wrong and tested attacks over the internet, local networks and also cloud computing environments, cracking passwords over all three mediums using code to filter out traffic noise and speed fluctuations.

So, what does this mean for you? Luckily, you have no need to be worried.

Lawson and Nelson have contacted the developers involved and have suggested a simple fix to the problem. To reduce the probability of a timing attack, they suggest that authentication systems should return a password response in a specific amount of time, meaning a timing attack could not prey on a longer response time.

The fix could be implemented in just six lines of code, according to the duo.