Skip to content

Security: Mitigate username enumeration and timing attacks#3

Open
cezargf wants to merge 1 commit into
masterfrom
fix/login-security-timing-enumeration-1991321859301721256
Open

Security: Mitigate username enumeration and timing attacks#3
cezargf wants to merge 1 commit into
masterfrom
fix/login-security-timing-enumeration-1991321859301721256

Conversation

@cezargf
Copy link
Copy Markdown
Owner

@cezargf cezargf commented May 16, 2026

This change improves the security of the application's authentication flows. By replacing specific "User not found" messages with generic "Invalid credentials" messages, we prevent attackers from enumerating valid usernames. Furthermore, by introducing a dummy password_verify execution when a user is not found, we normalize the response time for both successful and unsuccessful login attempts, mitigating timing attacks that could otherwise be used to infer the existence of a user.

PR created automatically by Jules for task 1991321859301721256 started by @cezargf

@google-labs-jules @cezargf
Security: Mitigate username enumeration and timing attacks in login f…
8f46e7a 
…unctions

- Replaced "Usuário não encontrado" messages with a generic "Os dados de acesso estão incorretos." to prevent username enumeration in `Login`, `Mine`, `UsuariosController`, and `ClientLoginController`.
- Implemented dummy `password_verify` checks in cases where the user is not found to normalize response times, mitigating timing attacks.

Co-authored-by: cezargf <25113573+cezargf@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 16, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements mitigations against timing attacks and username enumeration across several login controllers by normalizing error messages and introducing a dummy password_verify call when a user is not found. The review feedback identifies that the dummy hash strings provided may be invalid, potentially causing password_verify to return early and fail the mitigation. It is recommended to use a valid bcrypt hash, address remaining timing leaks in expired account checks, and centralize the dummy hash value to avoid code duplication.

Comment thread application/controllers/Login.php
Comment thread application/controllers/api/v1/UsuariosController.php
Comment thread application/controllers/Mine.php
Comment thread application/controllers/api/v1/client/ClientLoginController.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cezargf