snicco

Taking the pain out of enterprise WordPress development

Time-Based-Side-Channel-Attack on 2FA secrets – (iThemes Security <= 8.1.2)

Calvin Alkan

| in

Affected pluginiThemes Security
Active installs1+ million
Vulnerable version<= 8.1.2
Audited version8.1.2
Fully patched version
Recommended remediationRemoval of the plugin

Description

The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

Proof of concept

Validation of TOTP codes:

/**
 * Checks if a given code is valid for a given key, allowing for a certain amount of time drift
 *
 * @param string $key      The share secret key to use.
 * @param string $authcode The code to test.
 *
 * @return bool Whether the code is valid within the time frame
 */
private function _is_valid_authcode( $key, $authcode ) {
    /**
     * Filter the maximum ticks to allow when checking valid codes.
     *
     * Ticks are the allowed offset from the correct time in 30 second increments,
     * so the default of 4 allows codes that are two minutes to either side of server time
     *
     * @param int $max_ticks Max ticks of time correction to allow. Default 4.
     */
    $max_ticks = apply_filters( 'two-factor-totp-time-step-allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
    
    // Array of all ticks to allow, sorted using absolute value to test closest match first.
    $ticks = range( - $max_ticks, $max_ticks );
    usort( $ticks, array( $this, 'abssort' ) );
    
    $time = time() / self::DEFAULT_TIME_STEP_SEC;
    
    foreach ( $ticks as $offset ) {
        $log_time = $time + $offset;
        if ( $this->calc_totp( $key, $log_time ) === $authcode ) {
            return true;
        }
    }
    
    return false;
}

Proposed patch

Exclusively use hash_equals to compare secrets.

Timeline

Vendor contactedSeptember 07, 2022
First Response (from a developer)
Fully patched at
Publicly disclosedApril 24, 2023

Miscellaneous

  • The vendor made us send the POC through third-party chat software to support staff despite asking explicitly for a security@ email.

Leave a Reply

Your email address will not be published. Required fields are marked *