Fix Remote Timing Attack vulnerability #64

Merged
merged 2 commits into from Nov 12, 2013

Conversation

Projects
None yet
3 participants
Contributor

h0ke commented Feb 11, 2013

The way the SDK compares the signed_request signature with the expected signature is vulnerable to a remote timing attack. For more information, see the following articles.

http://codahale.com/a-lesson-in-timing-attacks/
http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/

Contributor

gfosco commented Oct 15, 2013

Sorry it took so long to respond to this. Can you sign the Contributor License Agreement? https://developers.facebook.com/opensource/cla

Once that's done we can look at merging this. Thanks for your contribution.

Contributor

h0ke commented Oct 15, 2013

Signed. 👍

Contributor

gfosco commented Oct 28, 2013

Will get back to you about this soon, hopefully this week. We had discussed internally and want to suggest a few changes.

Contributor

h0ke commented Oct 28, 2013

Alrighty. 😃

Contributor

gfosco commented Oct 31, 2013

Can you add a space between the 'if' and the opening parenthesis on line 1024?

depoll pushed a commit that referenced this pull request Nov 12, 2013

David Poll
Merge pull request #64 from h0ke/master
Fix Remote Timing Attack vulnerability

@depoll depoll merged commit 7ea7c6b into facebookarchive:master Nov 12, 2013

Contributor

depoll commented Nov 12, 2013

Thanks for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment