Account takeover via password reset in alovoa/alovoa


Reported on

Aug 27th 2023


An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator (RNG) seed from a password reset token, then perform password resets on their and the victim’s accounts, and then use the former token to find the location of the latter (for the victim’s account).

Attack scenario

  1. An attacker finds out the victim’s email address (or attacks for more impact).
  2. The attacker obtains their password reset token from the application via email. The random seed can be cracked in about 2 hours and used to predict any amount of reset tokens (say, 10K or 10M).
  3. Then the attacker uses a password reset on their and the victim’s accounts, finds their token in the list, and uses the rest of the tokens one by one with the victim’s email at /password/change.

To compromise an account of a regular user, an attacker would need to know their email address, but in general it is not difficult to find on the other social media. In the case of the admin account, the email is already known.

Proof of Concept

There is a proof of concept taking one value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values. I have verified that it works by requesting a few reset tokens and using the first one to reverse the random seed (this took about 4 hours) and predict 3000 more. The time used to find the seed does not matter, because now it's possible to generate new tokens indefinitely. I found the other tokens sent by Alovoa on lines 1, 33, and 65, so the attack is feasible. The tool sreenshots and the generated tokens were sent to the vendor (

How to fix

Use or another safe random number generator (RNG) implementation with RandomStringUtils. That is how JHipster fixed this.


An attacker could predict all future password reset tokens to take over the accounts of users who do not use OAuth (impacts confidentiality and integrity). This vulnerability could also be used to bypass email verification during registration and account deletion (impacts availability).


public UserRegisterToken generateToken(User user) {
        UserRegisterToken token = new UserRegisterToken();
        token.setDate(new Date());
        return token;
// src/main/java/com/nonononoki/alovoa/service/
public UserDeleteToken deleteAccountRequest() throws MessagingException, IOException, AlovoaException {
        User user = authService.getCurrentUser(true);
        UserDeleteToken token = new UserDeleteToken();
        Date currentDate = new Date();

We are processing your report and will contact the alovoa team within 24 hours. 25 days ago
Max Harpsiford modified the report
25 days ago
Max Harpsiford modified the report
25 days ago
Max Harpsiford modified the report
24 days ago
We have contacted a member of the alovoa team and are waiting to hear back 24 days ago
Nho Quy Dinh validated this vulnerability 23 days ago
Max Harpsiford has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nho Quy Dinh marked this as fixed in 1.2.0 with commit a027b1 23 days ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
Nho Quy Dinh published this vulnerability 23 days ago has been validated has been validated
to join this conversation