In this blog post, I detail how I uncovered a critical vulnerability in a popular online service’s password reset feature. Due to poor password reset implementation practices, I was able to gain unauthorized access to user accounts. In this research, I will lay out the thought process from a hacker’s perspective to achieve an account takeover. I am not allowed to reveal the service’s identity, so we will call the vulnerable site site.com throughout the research.<\/p>\n\n\n\n
Technical Analysis<\/h4>\n\n\n\n
site.com allows users to reset passwords using the forgot password feature. Users who have lost their login password can request a unique link to reset the password using their email address. Once a user has asked for a reset password link they can visit the link received via email and set a new password.<\/p>\n\n\n\n
The reset password links are in this format:<\/p>\n\n\n\n
Once a GET request to this link is sent, the response contains the actual password reset link as a part of the Location header which is in the format of:<\/p>\n\n\n\n
Now, if an attacker gets the correct tracking link they can find the password reset URL for the victim and takeover the victim’s account.<\/p>\n\n\n\n
The tracking link contains two random hash values which are actually a value in the hex<\/code> format. Also, if we look at the multiple tracking links requested in the nearby time the hex<\/code> values seem like they are sequential and not random.<\/p>\n\n\n\n
The randomness in tracking links and how to brute force it<\/h5>\n\n\n\n
Let’s take a look at multiple tracking links requested for different accounts within almost the same second time.<\/p>\n\n\n
If we observe these numbers they are not random but in ascending order. To make it easier we can even convert them to decimal numbers by using any hex-to-decimal converter.<\/p>\n\n\n
Meaning, the attacker made the password reset request for attacker-controlled accounts and a victim account in a short period of time (fraction of second) then the attacker can actually identify the missing link by observing the hash 1 in the received tracking links.<\/p>\n\n\n\n
In the above example, it was evident that the Hash-1 between ...ad5<\/code> and ...ad7<\/code> was missing for the tracking link his accounts received to reset the password. Meaning, the victim must have received a tracking link between these two value.<\/p>\n\n\n\n
This is how an attacker can actually map the range of hash-1. For hash-2, The hash-2 is also sequential and it is also easier to find a range as it will be in the range of hash-2<\/code> of hash-1<\/code> such as in the above example hash-2<\/code> of the link with hash-1 ...ad5<\/code> and hash-2<\/code> of the link with hash-1 ..ad7<\/code>.<\/p>\n\n\n\n
In the above example,<\/p>\n\n\n
\nThe range of hash-1 in hex - [65c2eb504557ad5 - 65c762584557ad7]\nThe range of hash-2 in hex - [65c4e78812fd5466 - 65c9972112fd5468]\n\n<\/pre><\/div>\n\n\n
An attacker can brute force this range to find the password reset link. However, there are two ranges meaning for each value in hash-1 the attacker needs to map all the values of hash-2 which makes a total combination value which no modern computer can brute force.<\/p>\n\n\n\n
However, if we look closely we can actually reduce the range by finding which placeholder in the given hex values is random and what are the static values. Also, is there any sequence which we can guess? Let’s see:<\/p>\n\n\n\n
This drastically reduces the total combinations as now the range for hash-1 becomes:<\/p>\n\n\n
\n[2eb50 - 76258] (in hex)\n[191312 - 483928] (in decimal) \n\n<\/pre><\/div>\n\n\n
Making total combinations as 483928 – 191312 = 292616<\/p>\n\n\n\n
But again, if the total combinations of hash-1 is around 300000 and for hash-2 if it is also around 300000 again it is almost impossible to brute force 300000^300000 combinations.<\/p>\n\n\n\n
Upon further testing, I identified that Hash-1<\/code> is actually not being validated by the backend and only Hash-2<\/code> is attached with the password reset link. Meaning, Hash-1<\/code> can be any valid Hash-1<\/code> value and Hash-2<\/code> has to be the right value received by the victim.<\/p>\n\n\n\n
We can now again reduce the range of total bruteforce attempts.<\/p>\n\n\n\n
Let’s investigate hash-2 from the above example:-<\/p>\n\n\n
The static value should be 65c<\/code> and the last sequence has to be 12fd5467<\/code>. We are left with random values to guess. The range for this is:<\/p>\n\n\n
\n[4e788 - 99721] (in hex)\n[321416 - 628513] (in decimal) \n\n<\/pre><\/div>\n\n\n
Making total combinations as: 628513 – 321416 = 307097<\/p>\n\n\n\n
These many combinations can easily be brute-forced. I have written a Python script below that can generate all the possible hash-2 values given the static value, the range of random values, and the sequence that was guessed.<\/p>\n\n\n\n
The python script is as below:<\/p>\n\n\n
\nimport os\n\ndirectory = os.getcwd()\n\nstatic_value = input("What is the static value in the hash?\\nYour Answer:")\nstart_hex = input("What is the lowest or starting number of the range?\\nYour Answer:")\nend_hex = input("What is the highest or ending number of the range?\\nYour Answer:")\nsequence = input("What is the ending sequence of the hash?\\nYour Answer:")\n\nstart_decimal = int(start_hex, 16)\nend_decimal = int(end_hex, 16)\n\nprint("Generating all the possible hex value...")\n\nwith open(directory+'\/hash-2','w') as file:\n for decimal in range(start_decimal, end_decimal+1):\n hex_value = hex(decimal)\n file.write(static_value + hex_value.replace('0x', '') + sequence)\n file.write("\\n")\n\nprint("File Generated and saved at " + directory + "\/hash-2")\n\n<\/pre><\/div>\n\n\n
saved this file as\u00a0hash_2_generator.py<\/code> and ran it with:\u00a0python3 hash_2_generator.py<\/code><\/p>\n\n\n\n
The output (All the inputs are of hex values):<\/p>\n\n\n
\nWhat is the static value in the hash?\nYour Answer:65c\nWhat is the lowest or starting number of the range?\nYour Answer:4e788\nWhat is the highest or ending number of the range?\nYour Answer:99721\nWhat is the ending sequence of the hash?\nYour Answer:12fd5467\nGenerating all the possible hex value...\nFile Generated and saved at ....\/hash-2\n\n<\/pre><\/div>\n\n\n
The output file:<\/p>\n\n\n\n<\/figure>\n\n\n\n
A quick search with the value\u00a065c5a68912fd5467<\/code>\u00a0(which is the actual hash of the victim’s tracking link) was found at 48898 positions, meaning that after 48898 attempts, the attacker could have found the victim’s reset password link.<\/p>\n\n\n\n
To make this attack worse and compromise more than one victim account, an attacker can place many other victims’ email addresses between the attacker’s emails. While brute-forcing, an attacker will find the password reset links of all the victim accounts they want to target.<\/p>\n\n\n\n
I reported this finding to the specific vulnerable site, and I am pleased to share that they have since resolved the issue.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this blog post, I detail how I uncovered a critical vulnerability in a popular online service’s password reset feature. Due to poor password reset implementation practices, I was able to gain unauthorized access to user accounts. In this research, I will lay out the thought process from a hacker’s perspective to achieve an account […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35"}],"version-history":[{"count":3,"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions"}],"predecessor-version":[{"id":45,"href":"https:\/\/infosecin.com\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions\/45"}],"wp:attachment":[{"href":"https:\/\/infosecin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecin.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/pentestpulse.wordpress.com\/wp-content\/uploads\/2024\/07\/1.png?w=913\")
<\/figure>\n\n\n\n