So just to summarize, this report covers three possible vulnerabilities related to the PCI-DSS account lock out feature:
1. If someone can guess a username they can prevent that user from authenticating by repeatedly attempting to log in with an incorrect credential.
2. Someone can identify valid usernames by trying to log in with candidate strings with invalid passwords until the lock out is reached, at which point the change in API response confirms the existence of that user.
3. The lock out response can be used as an oracle to determine the UUID matching any known or guessed username.
So just to summarize, this report covers three possible vulnerabilities related to the PCI-DSS account lock out feature:
1. If someone can guess a username they can prevent that user from authenticating by repeatedly attempting to log in with an incorrect credential.
2. Someone can identify valid usernames by trying to log in with candidate strings with invalid passwords until the lock out is reached, at which point the change in API response confirms the existence of that user.
3. The lock out response can be used as an oracle to determine the UUID matching any known or guessed username.