We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Account takeover via password reset in alovoa/alovoa

Valid

Reported on

Aug 27th 2023

Description

An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator (RNG) seed from a password reset token, then perform password resets on their and the victim’s accounts, and then use the former token to find the location of the latter (for the victim’s account).

Attack scenario

  1. An attacker finds out the victim’s email address (or attacks admin@alovoa.com for more impact).
  2. The attacker obtains their password reset token from the application via email. The random seed can be cracked in about 2 hours and used to predict any amount of reset tokens (say, 10K or 10M).
  3. Then the attacker uses a password reset on their and the victim’s accounts, finds their token in the list, and uses the rest of the tokens one by one with the victim’s email at /password/change.

To compromise an account of a regular user, an attacker would need to know their email address, but in general it is not difficult to find on the other social media. In the case of the admin account, the email is already known.

Proof of Concept

There is a proof of concept taking one value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values. I have verified that it works by requesting a few reset tokens and using the first one to reverse the random seed (this took about 4 hours) and predict 3000 more. The time used to find the seed does not matter, because now it's possible to generate new tokens indefinitely. I found the other tokens sent by Alovoa on lines 1, 33, and 65, so the attack is feasible. The tool sreenshots and the generated tokens were sent to the vendor (contact@alovoa.com).

How to fix

Use java.security.SecureRandom or another safe random number generator (RNG) implementation with RandomStringUtils. That is how JHipster fixed this.

Impact

An attacker could predict all future password reset tokens to take over the accounts of users who do not use OAuth (impacts confidentiality and integrity). This vulnerability could also be used to bypass email verification during registration and account deletion (impacts availability).

Occurrences

public UserRegisterToken generateToken(User user) {
        UserRegisterToken token = new UserRegisterToken();
        token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
        token.setDate(new Date());
        token.setUser(user);
        return token;
    }

// src/main/java/com/nonononoki/alovoa/service/UserService.java:291~296
public UserDeleteToken deleteAccountRequest() throws MessagingException, IOException, AlovoaException {
        User user = authService.getCurrentUser(true);
        UserDeleteToken token = new UserDeleteToken();
        Date currentDate = new Date();

        token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
We are processing your report and will contact the alovoa team within 24 hours. 25 days ago
Max Harpsiford modified the report
25 days ago
Max Harpsiford modified the report
25 days ago
Max Harpsiford modified the report
24 days ago
We have contacted a member of the alovoa team and are waiting to hear back 24 days ago
Nho Quy Dinh validated this vulnerability 23 days ago
Max Harpsiford has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nho Quy Dinh marked this as fixed in 1.2.0 with commit a027b1 23 days ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
Nho Quy Dinh published this vulnerability 23 days ago
UserService.java#L297 has been validated
RegisterService.java#L213 has been validated
to join this conversation