Saturday 2 June 2012

How to NOT generate confirmation links

Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:
part of activation e-mail i received.

So my first thought was to check this md5 hash ! :)
Using google i quickly got an answer:

md5 hash and the source string.

Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.

First step is creating an account with non existant e-mail address.

our fake input data.

Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.

confirmation link generated by us.


Registration confirmation info.

So let's see if we can log in.

Logged in as thisisfake user.

Ok, so i managed to skip the e-mail verification - what's so bad about it ?

First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.

No comments:

Post a Comment