Time-Based-Side-Channel-Attack on backup codes – Two Factor Authentication (Updraft) <= 1.14.5

Affected pluginTwo Factor Authentication
Active installs20.000+
Vulnerable version<= 1.14.5
Audited version1.14.3
Fully patched version
Recommended remediationRemoval of the plugin


The plugin uses string comparison operators that don’t mitigate time-based-side-channel-attacks, which could be abused to reverse engeneer information about a user’s emegerncy backup codes.

Proof of concept

The plugin uses simple string comparision “==” in at least two places where a skilled and determined attacker could exploit this to find out a user’s secrets using the methods explained here.

Both ocasions are located in the Simba_TFA_Provider_TOTP::check_code_for_user method.

Validating a provided six-digit one time password:

$match = false;
foreach ($codes as $index => $code) {
    if (trim($code->toHotp(6)) == trim($user_code)) {
        $match = true;
        $found_index = $index;

Validating a user’s emergeny code:

$dec = [];
foreach ($emergency_codes as $emergency_code) {
  $dec[]  = trim($this->decryptString(trim($emergency_code),$user_id));

$in_array = array_search($user_code, $dec);
$match = $in_array !== false;

Proposed patch

Excusivly use hash_equals everywhere secrets are compared.


Vendor contactedMay 30, 2022 (through WPScan)
First ResponseJune 28, 2022 (Vendor contacted by WPScan)
Fully patched at
Publicly disclosedApril 24, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *