Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT4lJHUmv0DZPsJMJ6F0A_0_zDzIbLqFX8UPKKW-82oAN5pt01Pjzwc4e4SzwfbjFdNgoxnal2t5i2XqVVAB-adWInISYa5XCP-JJ4H2EE0OaiPSQ5G_k9aS7w_c8i_Iuir5IKVyOEgOE/s1600/act_link.jpg) |
part of activation e-mail i received. |
|
|
|
|
|
|
|
|
So my first thought was to check this md5 hash ! :)
Using google i quickly got an answer:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsSDAgyk9hUoYXKrcevWCoWV0UUKRjdP864OBEJ-fNt0dR5vyV2zUZRHlty7m4vRZfFLvM2x5z2wSqA2F9I220pDvfeORbmtL6kOwf6rN2o29jX2JsyozZa_8WxRJeHOlJ8GQ6b-Uy2lE/s400/md5hash.jpg) |
md5 hash and the source string. |
Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.
First step is creating an account with non existant e-mail address.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjTxSri9ydwDXwz7iZgaLNw_bw6a0G9lHP08HmSlvQ-QBHZf2maW5kSem2FIGDDjtokplr7IWRx6cjhOsWpBVz8HbWl-1vBrKxk3aDyW7g4lmd1qbbqZEvjSBJCJceQEN7cE2lYAG3-0/s320/register.jpg) |
our fake input data. |
Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDWV-SUpRa6TCfb-DZDD7V8VM4QJnm7wt5XgX7C7YdeVqm7pV7vH2_zULGka8rqWb88v_FSVy66tjbPq9IlFD-4wX-ct-Ko3RgmPVCYHn95m8ACbnu9nEqLwVPmIvGagAYD7PW5o6DSj8/s1600/act_link2.jpg) |
confirmation link generated by us. |
Success!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5TsVSrxr3csMmS7jgpXVrgzTuTIht8S-2vCpAGTACKUM6EDcMIadBt3ba0DPPDrcOmI0V2KUXCysLdQk9ZRnKoAx5A3ZYnhD94HoVOLAm_DKYKQljIVh06ykgPwiSzT1wYIPclemqIY8/s1600/dziekujemy.jpg) |
Registration confirmation info.
|
So let's see if we can log in.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWiVJcv2UOvpTmR5L4o-gssnXW51kbS9j-v15ExHzkvF7D74HGl0jvRBU60pv8o7WuwithNW7R73g30alDdITwwSqVbVVgnFFH5NvVE7Glt1DvZSMKtMccvO4Tr44GPbFAV3TAx9-PWWY/s1600/logged.jpg) |
Logged in as thisisfake user. |
Ok, so i managed to skip the e-mail verification - what's so bad about it ?
First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.