Account takeover via password reset in alovoa/alovoa
Aug 27th 2023
An attacker could predict all future password reset tokens due to the use of
PasswordService. An attacker could crack the random number generator (RNG) seed from a password reset token, then perform password resets on their and the victim’s accounts, and then use the former token to find the location of the latter (for the victim’s account).
- An attacker finds out the victim’s email address (or attacks
email@example.com more impact).
- The attacker obtains their password reset token from the application via email. The random seed can be cracked in about 2 hours and used to predict any amount of reset tokens (say, 10K or 10M).
- Then the attacker uses a password reset on their and the victim’s accounts, finds their token in the list, and uses the rest of the tokens one by one with the victim’s email at
To compromise an account of a regular user, an attacker would need to know their email address, but in general it is not difficult to find on the other social media. In the case of the admin account, the email is already known.
Proof of Concept
There is a proof of concept taking one value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values. I have verified that it works by requesting a few reset tokens and using the first one to reverse the random seed (this took about 4 hours) and predict 3000 more. The time used to find the seed does not matter, because now it's possible to generate new tokens indefinitely. I found the other tokens sent by Alovoa on lines 1, 33, and 65, so the attack is feasible. The tool sreenshots and the generated tokens were sent to the vendor (firstname.lastname@example.org).
How to fix
java.security.SecureRandom or another safe random number generator (RNG) implementation with
RandomStringUtils. That is how JHipster fixed this.
An attacker could predict all future password reset tokens to take over the accounts of users who do not use OAuth (impacts confidentiality and integrity). This vulnerability could also be used to bypass email verification during registration and account deletion (impacts availability).