Timing Attacks Anti-Pattern

Severity: Medium

Summary

Attackers measure operation timing to extract secrets. Early-exit comparisons leak information: comparing ABCDEF to ABCDEG takes longer than ABCDEF to XBCDEF (more matching characters before mismatch). These timing differences enable character-by-character secret recovery.

The Anti-Pattern

The anti-pattern is comparison functions returning early upon finding differences in sensitive values (passwords, tokens, hashes).

BAD Code Example

# VULNERABLE: String comparison leaking timing information.

def insecure_compare(s1, s2):
    # Exits on first mismatch (early exit).