We're updating the issue view to help you get more done. 

User enumeration possible by SCRAM

Description

It is possible to test whether a given username exists on the system or not trivially using SCRAM. While it may be possible to determine this via other means (such as over the wire via XMPP queries for example) this presents an obvious and difficult to detect attack.

Environment

None

Acceptance Test - Entry

None

Assignee

Dave Cridland

Reporter

Dave Cridland

Labels

None

Expected Effort

None

Ignite Forum URL

None

Fix versions

Priority

Major
Configure