🔗 User enumeration: what it is and why it matters

an overview of user enumeration, its various forms, and its impacts

August 15, 2023 · 1 min · 150 words | source

This talk is about user enumeration, its impacts, and why Microsoft should take it seriously. Everything demonstrated is by design.

Microsoft has decided that user enumeration does not qualify as a vulnerability.

What is User Enumeration?

Enables an attacker to identify VALID accounts, and INVALID accounts based on server response

Examples:

Verbose login response - “Your username is invalid”

Time-based login response

INVALID Username response time: 10s

VALID Username login response time: 1s

Web server response differs (403 vs 404 HTTP Status Code)

[404] http://fakedomain.com/application/users/tom

[403] http://fakedomain.com/application/users/john

User Enumeration is a Security Flaw

ENABLES:

Password sprays

Phishing

Targeted RCE or similar (every so often)

Unnecessary “feature”

Allows identification and targeting of users directly

Often includes full names (john.smith or john.j.smith formats)

Durable lists - names change infrequently in a lifetime

Can’t hit what you can’t see (or at least it’s harder