Sense of Security is one of Australia’s most trusted providers of cyber resilience, information security and risk management services.

Latest announcements
© Copyright Sense of Security

Security Advisory – SOS-09-004 – Lotus Sametime User Enumeration Vulnerability

Release Date: 9-Jul-2009

Last Update:

Vendor Notification Date: 2-Jun-2009

Product: IBM Lotus Instant Messaging and Web Conferencing (Sametime)

Platform: Windows (verified), possibly others

Affected versions: IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others

Severity Rating: Low

Impact: Exposure of sensitive information

Attack Vector: Remote with authentication

Solution Status: Vendor patch not yet available

CVE reference: Not yet allocated


IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.

The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.

When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).

This can be used to enumerate valid user names.

Please refer to the PDF version of this advisory  for proof of concept code examples.


The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.

Discovered By

Karan Khosla from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

No Comments

Sorry, the comment form is closed at this time.