Note Mark Timing Side-Channel Vulnerability in Login Endpoint Allows Username Enumeration

A timing side-channel vulnerability has been identified in the Note Mark application, specifically in the login endpoint of versions through 0.19.1. This vulnerability allows unauthenticated attackers to enumerate valid usernames by measuring response times. The login endpoint performs bcrypt password verification only for existing usernames, causing a noticeable delay, while requests for nonexistent usernames are processed immediately. This timing discrepancy can be exploited to confirm the existence of usernames, thereby facilitating targeted credential attacks.

Impact

Exploitation of this vulnerability allows for reliable enumeration of valid usernames, one at a time, which can enhance the effectiveness of credential stuffing, password spraying, phishing, and other targeted account attacks.

Reproduction

The vulnerability can be reproduced by sending repeated authentication requests to the login endpoint, using a known valid username and an invalid password. By alternating between the valid username and a nonexistent username, and comparing the response times, the timing discrepancy can be measured. Valid usernames, which require bcrypt password verification, will consistently result in longer response times compared to nonexistent usernames.

Remediation

Users can update to Note Mark version 0.19.2, which addresses this vulnerability by ensuring that the login endpoint processes username existence checks in a way that does not leak information through timing differences.