Dashboard

Authentication Bypass

Severity: High
Bug ID: 692
Researcher: dia2diab
Status: Disclosed
Submitted: 07/01/2015

Description:

Authentication Bypass Activation Code step

Affected URL:

https://crowdshield.com/account.php?hash=

Affected Params:

hash

Bug Evidence:

When i went to register on your web site, i found you sent me activation url on my email with a simple hash:

1- https://crowdshield.com/account.php?hash=c7e1249ffc03eb9ded908c236bd1996d
2- https://crowdshield.com/account.php?hash=55a7cf9c71f1c9c495413f934dd1a158
3- https://crowdshield.com/account.php?hash=24b16fede9a67c9251d3e7c7161c83ac

as you can see the three activation url for three email addresses, but the problem is the hash value is md5 for a random numbers

c7e1249ffc03eb9ded908c236bd1996d => md5(87)
55a7cf9c71f1c9c495413f934dd1a158 => md5(492)
24b16fede9a67c9251d3e7c7161c83ac => md5(372)

This lead attacker to register with any email on the internet that does't belongs to him and can active the account on crowdshield.com by easy way.

Simple python script that request md5 values as 
https://crowdshield.com/account.php?hash=[PayLoad_here] 


Bug Recommendation:

I recommend to make this hash more complicated

Direct Chat

6
dia2diab 07/01/2015
Message User Image
submitted a Authentication Bypass bug to CrowdShield
dia2diab 07/01/2015
Message User Image
Maybe you will like to view the simple python code for my POC: https://gist.github.com/DiaaDiab/8a50218642bfa330f3ad
CrowdShield 07/02/2015
Message User Image
Hi, thanks for the info. Nice PoC script btw. Acknowledging this for now and will look at making the activation hash more complex going forward.
CrowdShield 07/02/2015
Message User Image
awarded 20 points to dia2diab for a Authentication Bypass bug
CrowdShield 07/02/2015
Message User Image
closed a Authentication Bypass bug submitted by dia2diab
CrowdShield 07/02/2015
Message User Image
disclosed a Authentication Bypass bug submitted by dia2diab

Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed