Time-Based-Side-Channel-Attack on 2FA secrets – (Google Authenticator <= 0.54)

Affected pluginGoogle Authenticator
Active installs30,000+
Vulnerable version<= 0.54
Audited version0.54
Fully patched version
Recommended remediationRemoval of the plugin


The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

Proof of concept

Validation of TOTP codes:

if ( $value === $thistry ) {
 // Check for replay (Man-in-the-middle) attack.
 // Since this is not Star Trek, time can only move forward,
 // meaning current login attempt has to be in the future compared to
 // last successful login.
 if ( $lasttimeslot >= ($tm+$i) ) {
  error_log("Google Authenticator plugin: Man-in-the-middle attack detected (Could also be 2 legit login attempts within the same 30 second period)");
  return false;
 // Return timeslot in which login happened.
 return $tm+$i;

Proposed patch

Exclusively use hash_equals to compare secrets.


Vendor contactedSeptember 12, 2022
First ResponseSeptember 12, 2022
Fully patched at
Publicly disclosedApril 24, 2023


  • The vendor did not consider this to be a security issue.

Leave a Reply

Your email address will not be published. Required fields are marked *