Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:
|part of activation e-mail i received.|
So my first thought was to check this md5 hash ! :)
Using google i quickly got an answer:
|md5 hash and the source string.|
Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.
First step is creating an account with non existant e-mail address.
|our fake input data.|
Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.
|confirmation link generated by us.|
|Registration confirmation info.
So let's see if we can log in.
|Logged in as thisisfake user.|
Ok, so i managed to skip the e-mail verification - what's so bad about it ?
First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.