Short Description
User enumeration based on response times
Reporting Date
- August 2022
Details
Based on the duration of the response time for a login attempt, it was possible to identify whether the specified user was in the system or not.
This determination can be used for further attacks against existing users. Executing a login attempt for a non-existing user only takes a few milliseconds while an existing user needs significant more time. The backend does not ensure similar delays for different scenarios.
Impact
Low
References
❤ Thanks to
Simon Reinhart for detection and reporting of the vulnerability.
Short Description
User enumeration based on response times
Reporting Date
Details
Based on the duration of the response time for a login attempt, it was possible to identify whether the specified user was in the system or not.
This determination can be used for further attacks against existing users. Executing a login attempt for a non-existing user only takes a few milliseconds while an existing user needs significant more time. The backend does not ensure similar delays for different scenarios.
Impact
Low
References
❤ Thanks to
Simon Reinhart for detection and reporting of the vulnerability.