An ongoing responsible (but frustrating) vulnerability disclosure with a well-known cybersecurity vendor. After reading through this, please leave your feedback at one of the following polls: The vulnerability risk scores somewhere between a 4.0 and 4.2 on a CVSS calculation (ex. https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N), so not a huge deal. We could certainly develop a working PoC (with time), […]
Month: August 2021
User Enumeration vs Password Spraying
What do you call a User Enumeration attack against a login service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority […]