My first suprise was that the password was changed immediately without any confirmation. That means if i only knew a person e-mail i could change his password !
Second surprise was the pattern that emerged when i generated few passwords (for different accounts with different passwords):
XS?dh*96[2 upper letters][special char][2 lower letters][special char][number max 2 digit].
Can you spot the problem ?
- I am able to change someone's password knowing only his e-mail,
- I know the generation pattern for this new password.
26 x 26 x 6 x 26 x 26 x 100 = 274185600 possible combinations, so the dictionary file would be around 2.2 GB size. Yep, it seems like a lot of time, but in case of flaws in the randomness of the string generation we could probally shorten the amount of time needed to crack it - i need to examine it deeper. To sum up, it does not seem to be a threat (for now) but those patterns definitely should have not appear in that function.