Skip to content

Security issue : use hash_equals() instead of '===' to compare hashes #284

Open
Open
Security issue : use hash_equals() instead of '===' to compare hashes#284
@mazaheriaan

Description

@mazaheriaan
mazaheriaan
opened on Dec 19, 2019

Hi dev,
I would like to point out a security issue in the Bcrypt class:

public function verify($input, $existingHash) {
	$hash = crypt($input, $existingHash);

	return $hash === $existingHash;
}

A simple strict equals sign === is used for hash comparison, which is vulnerable to timing attack.
The hash_equals() function should be used (http://php.net/manual/en/function.hash-equals.php) for comparing hashes.
see also: https://www.php.net/manual/en/function.crypt

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions