
Security concern: User Accounts Enumeration
Security concern: User Accounts Enumeration
When using LDAP as the user source, the application's response during authentication requests allows an unauthenticated attacker to enumerate valid accounts.
The responses contain variations when authentication failures occur.
By evaluating these differences, an attacker can enumerate users from a company's domain using scripts and automated tools.
Reference
Testing for User Enumeration and Guessable User Account (OWASP-AT-002) - OWASP
Proof of Concept
When trying to authenticate with an invalid username,
The system responds with "Invalid credentials. Please try again."
When trying to authenticate with a Valid username,
The system responds with "Password has expired; contact your system administrator to change your password and try again."
Answer

Hi Mendy,
Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.

I did that.
I'm just bringing this up as a potential security concerns that should be corrected for everyoneCustomer support service by UserEcho
Hi Mendy,
Thanks for raising your concern here. You can always change the message to see the response you would like from Admin > Appearance page.