OpenSlides Timing Sidechannel Vulnerability Allows User Enumeration

A timing sidechannel vulnerability has been identified in OpenSlides versions prior to 4.2.5. During the login process at the '/system/auth/login/' endpoint, the response times vary based on whether a user exists in the system. This discrepancy arises because the password hashing is omitted for non-existing users, leading to a timing difference of approximately 15 milliseconds for non-existing users compared to 200 milliseconds for existing users. This vulnerability can be exploited to infer the existence of users in the system.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can determine which usernames are registered in the system based on the response times during login attempts.

Reproduction

To reproduce this vulnerability, attempt to log in with a username that does not exist in the system. Note the response time, which should be around 15 milliseconds. Then, log in with a username that does exist. The response time for this should be approximately 200 milliseconds, demonstrating the timing discrepancy that can be exploited for user enumeration.

Remediation

Users can update to OpenSlides version 4.2.5, where this vulnerability has been patched.