A timing side-channel vulnerability in darkhttp’s implementation for HTTP-based authentication. Since the auth check is done by a strcmp() call which iterates and compares each character of the string, by observing the amount of time taken in the auth check, each character can be side-channeled to bruteforce the HTTP password. The vulnerability was fixed by using a constant-time string comparison algorithm.