1. Summary
Hello Everyone,
I cannot disclose the program name as they didn't allow me to do so. But it would allow me to takeover or change any user account password. The program had a password reset feature and how it work is, when someone try to reset password it will generate a hash and send an email to user which contain link to change password and the link was like
https://programsite.com/reset-password/HashGenerated
The hash code was generated at the time when user submit the password reset form with their email/username. After a bit digging I found that the hash was just a md5 of user id and unix time stamp.
The user id could be found when I visit any user profile on addressbar it would show like
https://programsite.com/userprofile/userid
And for unix time stamp it's just a php time() function and it's same for every server/timezone. If i run time() function in my local machine and my hosting server which is in the USA it will return the same value. So what i did was,
I created a php script which is below
<?php
$userid = 1; //Need to change user id with the userid of victim's account
$time = time(); //this is timestamp
while($time <= $time+10){
echo md5($time.$userid)."<br>";
$time++;
}
?>
It works like this,
It will take time stamp and create hash code like the password reset hash in the program site and it creates additional hashes for 10 more seconds in case I missed the actual one.
Now I can run the script and within next 10 seconds I can send password reset form and one of the hashes from my script would work perfectly. This way I could change any user's password.
I reported this and the program fixed it. It was a private program and they invited me to test but didn't allow me to disclose more of information.