Account takeover via password reset
Discription

# Description
An attacker could predict all future password reset tokens due to the use of `RandomStringUtils.randomAlphanumeric` in `PasswordService`. An attacker could crack the random number generator (RNG) seed from a password reset token, then perform password resets on their and the victim’s accounts, and then use the former token to find the location of the latter (for the victim’s account).

## Attack scenario
1. An attacker finds out the victim’s email address (or attacks `[email protected]` for more impact).
2. The attacker obtains their password reset token from the application via email. The random seed can be cracked in about 2 hours and used to predict any amount of reset tokens (say, 10K or 10M).
3. Then the attacker uses a password reset on their and the victim’s accounts, finds their token in the list, and uses the rest of the tokens one by one with the victim’s email at `/password/change`.

To compromise an account of a regular user, an attacker would need to know their email address, but in general it is not difficult to find on the other social media. In the case of the admin account, the email is already known.

# Proof of Concept
There is a [proof of concept](https://github.com/alex91ar/randomstringutils) taking one value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values. I have verified that it works by requesting a few reset tokens and using the first one to reverse the random seed (this took about 4 hours) and predict 3000 more. The time used to find the seed does not matter, because now it’s possible to generate new tokens indefinitely. I found the other tokens sent by Alovoa on lines 1, 33, and 65, so the attack is feasible. The tool sreenshots and the generated tokens were sent to the vendor ([email protected]).

# How to fix

Use `java.security.SecureRandom` or another safe random number generator (RNG) implementation with `RandomStringUtils`. [That](https://github.com/jhipster/jhipster-kotlin/issues/183#issuecomment-531504909) is how JHipster fixed this.Read More

References

Back to Main
Subscribe for the latest news: