Timing Attack / Unintended Error Message on verifyAuthChallenge.

[DSSoftware]

File: api.php
Method: verifyAuthChallenge | UNAUTH

Description: It's possible to bruteforce all the logins, as API returns the error "WRONG_LOGIN" if login was wrong and "WRONG_PASSWORD" if password was wrong. Besides, the returnError() method returns kills the instance after the error, so it creates a possibility for Timing Attack even if the error messages were fixed.

Ways to mitigate this issue:

• Change the error messages to "WRONG_CREDENTIALS"
• Add a way to prevent Timing attack. This might help: usleep(random_int(0, 999999));
• Change the error message in index.php from two separate to one about wrong credentials.

[DSSoftware]

Added a temporary solution to prevent timing attacks. (Task #2)

[DSSoftware]

Changed the error message from WRONG_LOGIN & WRONG_PASSWORD to WRONG_CREDENTIALS. (Task #1)

[DSSoftware]

Changed the error message in index.php to message that informs user about wrong credentials, not separately about wrong login / password. (Task #3)