Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:
 | ||||||||
| part of activation e-mail i received. |
So my first thought was to check this md5 hash ! :)
Using google i quickly got an answer:
 |
| md5 hash and the source string. |
Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.
First step is creating an account with non existant e-mail address.
 |
| our fake input data. |
Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.
 |
| confirmation link generated by us. |
Success!
 |
| Registration confirmation info.
|
So let's see if we can log in.
 |
| Logged in as thisisfake user. |
Ok, so i managed to skip the e-mail verification - what's so bad about it ?
First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.
No comments:
Post a Comment