PolarLearn Timing Attack Vulnerability in Sign-In Process Allows User Enumeration

A timing attack vulnerability has been identified in PolarLearn versions through 0-PRERELEASE-15. This vulnerability allows unauthenticated attackers to determine if a specific email address is registered on the platform by measuring the response time of the login endpoint. The server only performs the resource-intensive Argon2 password hashing for existing users, causing requests for valid email addresses to take significantly longer than those for non-existent ones. This timing discrepancy can be exploited to enumerate registered users.

Impact

Exploitation of this vulnerability allows for user enumeration, enabling attackers to verify the existence of accounts associated with specific email addresses. This could lead to targeted phishing attacks, password resets, or credential stuffing.

Reproduction

To reproduce this vulnerability, use the browser's developer tools on the PolarLearn sign-in page. Navigate to the sign-in endpoint and, after solving any CAPTCHA, open the Browser Console. Paste a script that measures the response time of the sign-in API when using different email addresses. Compare the response times for valid and invalid emails to confirm the vulnerability.

Remediation

Users are advised to update to the patched version of PolarLearn, which includes a fix for this vulnerability by ensuring that the Argon2 hashing is applied to all sign-in attempts, regardless of whether the user exists in the database.