This talk is about user enumeration, its impacts, and why Microsoft should take it seriously. Everything demonstrated is by design.
Microsoft has decided that user enumeration does not qualify as a vulnerability.
What is User Enumeration?
- Enables an attacker to identify VALID accounts, and INVALID accounts based on server response
Verbose login response - “Your username is invalid”
Time-based login response
- INVALID Username response time: 10s
- VALID Username login response time: 1s
Web server response differs (403 vs 404 HTTP Status Code)
User Enumeration is a Security Flaw
- Password sprays
- Targeted RCE or similar (every so often)
Allows identification and targeting of users directly
- Often includes full names (john.smith or john.j.smith formats)
- Durable lists - names change infrequently in a lifetime
Can’t hit what you can’t see (or at least it’s harder