User enumeration at login
Created by: xTibor
The login
program is vulnerable to user enumeration. It only asks for a password and does a timeout when the specified user account exists, thus allowing malicious actors to brute force the possible users at a rate of hundreds of usernames per second. (when login asks for a password = valid user on the system).
Demo: https://www.youtube.com/watch?v=7XfipgWmpxM
Possible fix: Ask for a password and do a timeout even the specified user doesn't exist.