Hi,
Doing some security assessments I realized that a user with just create session can query the ALL_USERS view and get a listing of all the users defined in the database.
Some people ask if that i really a risk for a user A to know that user B exists even if A has no access to any data of user B. I think that YES, user A might try to connect as user B and depending on the security configuration of the database, user A might succeed or user B could get blocked after several attemps from user A, and if user B gets locked that might lead to denial of service
is it safe to do a revoke select on all_users from public? Any other suggestions? has someone thought about it?
thanks