[BUG] Cryptographic Timing Attack Vulnerability in Admin API Authentication

[rishabh0510rishabh]

---

title: "[BUG] Cryptographic Timing Attack Vulnerability in Admin API Authentication"
labels: level:critical, quality:exceptional, type:security, type:performance

Problem / Motivation

Analysis of the REST Admin API middleware reveals a critical security vulnerability in how Bearer tokens are validated.

In humane_proxy/api/admin.py, the _require_admin dependency extracts the HUMANE_PROXY_ADMIN_KEY from the environment and compares it against the incoming request credentials using a standard equality operator (!=):

# [humane_proxy/api/admin.py:48]
if credentials is None or credentials.credentials != admin_key:
    raise HTTPException(
        status_code=401,
        detail="Invalid or missing Bearer token.",
        headers={"WWW-Authenticate": "Bearer"},
    )
```python
---
Standard string comparison in Python evaluates character-by-character and short-circuits upon the first mismatch. This introduces a measurable timing discrepancy based on how many characters of the attacker's payload match the actual secret. An attacker can exploit this timing side-channel to brute-force the HUMANE_PROXY_ADMIN_KEY over the network, granting them full access to the /admin endpoints (including the ability to export or delete sensitive escalation logs).

To Reproduce
Start the HumaneProxy server with a configured HUMANE_PROXY_ADMIN_KEY.
Send repeated GET /admin/health or GET /admin/stats requests with varying Bearer tokens.
Measure the microsecond response time differences between a token where the first character matches the secret vs. a token where it does not.
Observe the timing leak caused by the short-circuiting != operator.
Expected Behaviour
Authentication token comparison must be executed in constant time, regardless of the input's validity or length, to prevent timing side-channel attacks.

Suggested Fix
Import the hmac module from the Python standard library and replace the standard equality operator with hmac.compare_digest. This function is specifically designed for cryptographic constant-time string comparison.

Update humane_proxy/api/admin.py:

[rishabh0510rishabh]

hey @Vishisht16 please assign this to me With labels

[Vishisht16]

@rishabh0510rishabh I tried reproducing your test locally with the method you provided. On a 64 character secret, a set of 0, 16, 32, 48 and 63 match points was tested with 5,000,000 comparisons per measurement and 10 independent rounds per variant. The mean delta between 0-match and 63-match was ~0.009 ns. There was no monotonic increase in timing as match length grows, so I couldn't reproduce the bug you mentioned. The hmac variant doesn't show any statistically significant timing variation (p-value = 0.106).

However, I found out that it's a known vulnerability (CWE-208) so I'll accept it as an enhancement with level:advanced label since you found it. The fix is also small and I'll merge the PR immediately when you raise it. Let me know if you have a rebuttal you'd like to follow up with.

[rishabh0510rishabh]

Thanks for verifying and testing it in detail @Vishisht16
I understand your observations regarding the negligible timing differences in local benchmarking and the lack of statistically significant variation in practice.

My main intention behind reporting this was from a security-hardening perspective, since direct string comparison for secrets is still generally discouraged and classified under CWE-208. Even if exploitation is difficult in realistic network conditions, replacing it with hmac.compare_digest is considered the recommended cryptographic-safe approach and improves defense-in-depth with almost no implementation overhead.

Thanks as well for accepting it as an enhancement and assigning the level:advanced label. I’ll prepare the PR with the constant-time comparison fix shortly.