https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idi-p/1927748 <P>Description:<BR />Using differences in responses from the application, it is possible to determine accounts that exist within the application and accounts that do not. These differences in responses can be used by an attacker to identify existing or active accounts, and the information gathered can be used to aid in additional attack scenarios</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anagarju_0-1652074488218.png" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/78906i848239D2158A8636/image-size/medium?v=v2&amp;px=400" role="button" title="anagarju_0-1652074488218.png" alt="anagarju_0-1652074488218.png" /></span></P> <P>&nbsp;</P> <P>Mitigation Recommendations:<BR />Avoid providing specific reasons for failure and use generic responses instead when possible. This will help ensure that attackers cannot obtain more information about accounts than necessary.<BR />Examples for possible remediation:<BR />Login<BR />• Make sure to return a generic “Username or password is incorrect” message when a login failure occurs.<BR />• Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.</P> Mon, 04 Jul 2022 14:37:00 GMT anagarju 2022-07-04T14:37:00Z https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/1927749#M9453 <P>Reference support ticket:&nbsp;<A href="https://community.qlik.com/t5/crmsupport/casepage/issue-id/00034362/issue-guid/5003z00002V50IqAAJ/issue-provider/salesforce" target="_blank">https://community.qlik.com/t5/crmsupport/casepage/issue-id/00034362/issue-guid/5003z00002V50IqAAJ/issue-provider/salesforce</A></P> <P>&nbsp;</P> Mon, 09 May 2022 05:36:55 GMT https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/1927749#M9453 anagarju 2022-05-09T05:36:55Z https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/2100119#M13387 <P>From now on, please track this idea from the Ideation portal.&nbsp;</P><P><STRONG><A title="Link to new idea" href="https://ideation.qlik.com/app/#/case/281481" target="_blank" rel="noopener">Link to new idea</A></STRONG></P><P>Meghann</P><P data-unlink="true"><EM>NOTE: Upon clicking this link 2 tabs may open - please feel free to close the one with a login page. If you <STRONG>only</STRONG> see 1 tab with the login page, please try clicking this link first: <STRONG><A title="Authenticate me!" href="#" target="_blank" rel="noopener">Authenticate me!</A></STRONG>&nbsp;t</EM><EM>hen try the link above again. Ensure pop-up blocker is off.</EM></P> Wed, 02 Aug 2023 15:16:25 GMT https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/2100119#M13387 Meghann_MacDonald 2023-08-02T15:16:25Z https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/2100120#M13388 Wed, 02 Aug 2023 15:16:27 GMT https://community.qlik.com/t5/Suggest-an-Idea/Creds-Harvesting-through-invalid-user-error/idc-p/2100120#M13388 Ideation 2023-08-02T15:16:27Z