4ga Boards User Enumeration Vulnerability via Timing Side-Channel in Authentication Endpoint

A user enumeration vulnerability has been identified in 4ga Boards versions prior to 3.3.5. This issue arises from a timing side-channel in the login endpoint, POST /api/access-tokens. When an invalid username or email is entered, the server responds quickly, averaging around 17 milliseconds. In contrast, a valid username or email with an incorrect password triggers a bcrypt comparison, delaying the response by approximately 74 milliseconds. This 4.4-fold timing difference can be easily detected over the network, allowing for rapid user enumeration. The vulnerability is exacerbated by the absence of rate limiting or account lockout mechanisms, enabling automated attacks.

Impact

Exploitation of this vulnerability allows attackers to enumerate valid usernames or email addresses, which can be used for targeted password attacks. The lack of rate limiting and account lockout further facilitates rapid enumeration of large email lists.

Remediation

To address this vulnerability, implement constant-time password comparisons, add rate limiting to the authentication endpoint, and introduce account lockout mechanisms after a certain number of failed login attempts.