In this Section

Security Advisory – Lotus Sametime User Enumeration Vulnerability


Sense of Security – Security Advisory – SOS-09-004

Release Date. 09-Jul-2009
Last Update. 09-Jul-2009
Vendor Notification Date. 20-Jul-2009
Product. Lotus Sametime
Platform. Windows (verified), possibly others.
Affected versions. IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others.
Severity Rating. Low
Impact. Exposure of sensitive information
Attack Vector. Remote without authentication
Solution Status. Vendor patch not yet available
CVE reference. CVE-Not yet assigned



IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.


The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.


When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).


This can be used to enumerate valid user names.



The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.



Karan Khosla from SOS Labs.