|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Skype for Business: information disclosure via the response time
Synthesis of the vulnerability
An attacker can measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Impacted software: Skype for Business.
Severity of this computer vulnerability: 2/4.
Consequences of a hack: data reading.
Attacker's origin: internet client.
Creation date: 17/06/2016.
Références of this announce: VIGILANCE-VUL-19918.
Description of the vulnerability
The Skype for Business product includes a Web interface and can use a private directory as an account database.
However, the response time of a Web authentication request mainly depends on whether the username is valid.An attacker who can guess realistic values for usernames can check his guess without access to the directory. In the case of a Windows Active Directory, the guessed account names are also system accounts and maybe mail accounts.
An attacker can therefore measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a computers vulnerabilities bulletin. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.