Tyk Gateways Allows Invalid 3 Character Authorization Tokens

[mreines]

Do you want to request a feature or report a bug?
This is a bug
What is the current behavior?
Any API using Authorization header with Tyk AuthToken (key) that has an access list (not using Profile) lets all requests through that have 3 charactors or less in the Authorization header

What is the expected behavior?
Obviously these are not valid keys and should be blocked.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem
Create an API, Create a Key for the API, make a request to the API with any 3 character combination. Now try a 4 charactor combination

Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?
We saw this in Gateway version 2.3.5 through 2.6.1

[lonelycode]

NOTE: We have not managed to replicate this in our cloud environment

Agreed that this is a serious issue, however to scope it - I believe this is because this is in a sparse keyspace environment (there are few tokens issued and few APIs on the system).

The simplest way to mitigate it at the moment is to disable key hashing in the tyk.conf, this should completely resolve the problem (the underlying cause is in our hashing lib).

We are actively working to resolve this issue.

[ilijabojanovic]

Verified