What is a timing oracle?

A timing oracle is a vulnerability where an application takes different amounts of time to respond based on the input, allowing an attacker to infer information like whether a username exists in a database.

What is a detectability threat in software security?

A detectability threat occurs when an adversary can determine that a specific record exists or an action was performed by observing system responses or metadata, even if they cannot see the actual content.

Can this skill automatically fix detected privacy issues?

Yes, when using the --fix flag, the skill can generate constant-time code patterns, implement uniform error responses, and add appropriate padding to encrypted outputs.

How does this skill help with GDPR compliance?

It helps fulfill 'Data Protection by Design' (Article 25) by identifying side channels that could reveal the presence of personal data to unauthorized observers.

Privacy Detectability & Side-Channel Analyst

Name: Privacy Detectability & Side-Channel Analyst
Author: florianbuetow

byflorianbuetow

•

Security & Testing

Analyzes source code for detectability threats and timing side channels to prevent unauthorized inference of system interactions.

The Privacy Detectability Analyst skill identifies subtle privacy vulnerabilities where external observers can infer system actions or the existence of sensitive records through side channels and metadata patterns. Built on the LINDDUN D1 framework, it systematically scans for user enumeration risks, timing oracles, and inconsistent error responses that compromise unobservability. This skill is critical for developers building high-privacy applications, ensuring that API behaviors do not leak information about user presence or data existence to potential adversaries or traffic analysts.

Key Features

01Analyzes encrypted message padding to prevent size-based traffic analysis

02Suggests fixes for uniform error handling and constant-time operations

03Detects timing side channels and oracles that reveal database record existence

04Scans for presence indicators and activity signals lacking opt-out mechanisms

056 GitHub stars

06Identifies user enumeration vulnerabilities in authentication and registration flows

Use Cases

01Verifying privacy-by-design compliance for GDPR and CCPA requirements during the CI/CD process

02Hardening financial or health platforms against timing-based probing of sensitive transactions

03Auditing API endpoints to ensure error messages don't confirm the existence of specific user accounts

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code detecting

For use in Claude.ai and ChatGPT

Download Skill