Observable Timing Discrepancy in Login Portal in answerdev/answer


Reported on

Feb 21st 2023


An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by the application.

It was also noted that CAPTCHA codes were reusable. Tester made over 1,000 requests with the same CAPTCHA code without receiving an error that the code was invalid. Tester believes this is due to the way that the request was intercepted, and that the application temporarily stores the "a_captcha" token value in local browser storage, however it's not completely clear.

This vulnerability was identified in the Answer application deployed through Docker. Screenshot evidence of the finding is available here - https://themayor.notion.site/Answer-CWE-208-a81897ea892d4101b55675a06e373643

Proof of Concept

POST /answer/api/v1/user/login/email HTTP/1.1
Content-Length: 116
Accept-Language: en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 
Content-Type: application/json
Accept: */*
Referer: http://z11afzm1zlwvdy52d3g6luob72d48ywn.oastify.com/ref
Accept-Encoding: gzip, deflate
Connection: close



An attacker can identify valid user email accounts which permits the attacker to increase the application's attack surface.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
Joe Helle modified the report
3 months ago
joyqi validated this vulnerability 2 months ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 813ad0 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 2 months ago
to join this conversation