Unable to display PDF file. Download

View | Source

This talk is about user enumeration, its impacts, and why Microsoft should take it seriously. Everything demonstrated is by design.

Microsoft has decided that user enumeration does not qualify as a vulnerability.

What is User Enumeration?

  • Enables an attacker to identify VALID accounts, and INVALID accounts based on server response


User Enumeration is a Security Flaw


    • Password sprays
    • Phishing
    • Targeted RCE or similar (every so often)
  • Unnecessary “feature”

  • Allows identification and targeting of users directly

    • Often includes full names (john.smith or john.j.smith formats)
    • Durable lists - names change infrequently in a lifetime
  • Can’t hit what you can’t see (or at least it’s harder