use fixed-time comparison of secrets (#1698)

2025-12-20 18:23:44 +00:00 · 2021-11-08 15:55:42 -05:00
parent c07794e907
commit 7cc7b84eaf
8 changed files with 18 additions and 8 deletions
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -893,7 +893,7 @@ namespace Bit.Core.Services
                return false;
            }

-            if (string.Compare(user.TwoFactorRecoveryCode, recoveryCode, true) != 0)
+            if (!CoreHelpers.FixedTimeEquals(user.TwoFactorRecoveryCode, recoveryCode))
            {
                return false;
            }