Summary
The WhatsApp webhook verification in mcp-clients/src/mcp_clients/whatsapp_bot.py uses Python's == operator to compare the verify token. This is vulnerable to timing side-channel attacks (CWE-208).
Location
whatsapp_bot.py:482:
if mode == "subscribe" and token == VERIFY_TOKEN:
Impact
An attacker can measure response times to deduce the VERIFY_TOKEN character-by-character. Python's == on strings short-circuits on the first mismatched character, leaking information about which prefix is correct.
Suggested Fix
Use hmac.compare_digest() for constant-time comparison:
import hmac
if mode == "subscribe" and hmac.compare_digest(token or "", VERIFY_TOKEN or ""):
Fix PR: forthcoming.
Summary
The WhatsApp webhook verification in
mcp-clients/src/mcp_clients/whatsapp_bot.pyuses Python's==operator to compare the verify token. This is vulnerable to timing side-channel attacks (CWE-208).Location
whatsapp_bot.py:482:Impact
An attacker can measure response times to deduce the
VERIFY_TOKENcharacter-by-character. Python's==on strings short-circuits on the first mismatched character, leaking information about which prefix is correct.Suggested Fix
Use
hmac.compare_digest()for constant-time comparison:Fix PR: forthcoming.