CWE-208 Base Incomplete

Observable Timing Discrepancy

Definition

What is CWE-208?

This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct.

Timing discrepancies act as a side channel, leaking information through the back door of performance. Even tiny, millisecond differences in response times can be statistically analyzed by an attacker to map out internal application logic, bypassing intended security controls. This is especially dangerous in authentication, authorization, and cryptographic functions where a 'fast fail' for an incorrect input can reveal its validity. To exploit this, attackers don't need direct access to error messages or data—they simply measure how long operations take. For example, a string comparison that stops at the first mismatched character will return faster for a wrong password starting with an incorrect letter than for one starting with the correct letter. Over many requests, this allows an attacker to gradually infer secrets, piece by piece, by observing which operations take longer to complete.

Real-world impact

Real-world CVEs caused by CWE-208

CVE-2019-10071

Java-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
CVE-2019-10482

Smartphone OS uses comparison functions that are not in constant time, allowing side channels
CVE-2014-0984

Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.
CVE-2003-0078

SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
CVE-2000-1117

Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
CVE-2003-0637

Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.
CVE-2003-0190

Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
CVE-2004-1602

FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.

How attackers exploit it

Step-by-step attacker path

1
Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.
2
Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts.
3
To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set.
4
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
5
When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses.

Vulnerable code example

Vulnerable Verilog

Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.

Vulnerable Verilog

always_comb @ (posedge clk)

 begin

```
   assign check_pass[3:0] = 4'b0;
   for (i = 0; i < 4; i++) begin
  	 if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i])
  		 assign check_pass[i] = 1;
  		 continue;
  	 else
  		 assign check_pass[i] = 0;
  		 break;
  	 end
   assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;
 end

Secure code example

Secure Verilog

To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set.

Secure Verilog

always_comb @ (posedge clk)
 begin

```
   assign check_pass[3:0] = 4'b0;
   for (i = 0; i < 4; i++) begin
  	 if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i])
  		 assign check_pass[i] = 1;
  		 continue;
  	 else
  		 assign check_pass[i] = 0;
  		 continue;
  	 end
   assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;
 end

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-208

Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
Implementation Validate input at trust boundaries; use allowlists, not denylists.
Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
Operation Monitor logs for the runtime signals listed in the next section.

Detection signals

How to detect CWE-208

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-208 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-208?

How serious is CWE-208?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-208?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-208?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-208?

Plexicus's SAST engine matches the data-flow signature for CWE-208 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-208?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/208.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-208

CWE-203 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Observable Timing Discrepancy

What is CWE-208?

Real-world CVEs caused by CWE-208

Step-by-step attacker path

Vulnerable Verilog

Secure Verilog

How to prevent CWE-208

How to detect CWE-208

Plexicus auto-detects CWE-208 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-208

Observable Discrepancy

Improper Protection of Physical Side Channels

Non-Transparent Sharing of Microarchitectural Resources

Observable Response Discrepancy

Observable Behavioral Discrepancy

Covert Timing Channel

Use of a Broken or Risky Cryptographic Algorithm

Incorrect Comparison Logic Granularity

Further reading

Don't Let Security
Weigh You Down.

Observable Timing Discrepancy

What is CWE-208?

Real-world CVEs caused by CWE-208

Step-by-step attacker path

Vulnerable Verilog

Secure Verilog

How to prevent CWE-208

How to detect CWE-208

Plexicus auto-detects CWE-208 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-208

Observable Discrepancy

Improper Protection of Physical Side Channels

Non-Transparent Sharing of Microarchitectural Resources

Observable Response Discrepancy

Observable Behavioral Discrepancy

Covert Timing Channel

Use of a Broken or Risky Cryptographic Algorithm

Incorrect Comparison Logic Granularity

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.