OpenML Web Application Predictable Token Vulnerability in User Workflow

A vulnerability exists in the OpenML web application version 2.0.20241110, where predictable MD5-based tokens are used for critical user workflows, including signup confirmation, password resets, email confirmation resends, and email change confirmations. These tokens are generated by hashing the current timestamp without incorporating user-specific data or cryptographic randomness, making them predictable. This allows remote attackers to brute-force valid tokens within a short time window, leading to unauthorized account confirmations, password resets, and email change approvals, with the potential for account takeovers.

Impact

Exploitation of this vulnerability allows for full account takeovers, unauthorized password resets, and unauthorized email change confirmations.

Reproduction

To reproduce this vulnerability, deploy OpenML version 2.0.20241110 using the provided Docker setup. Once deployed, trigger a vulnerable endpoint that generates a token, such as requesting a password reset. After the token is generated, calculate the MD5 hash of the timestamp corresponding to the token generation time. This can be done by enumerating all possible timestamps within the token generation window across different time zones. Submit the generated tokens to the verification endpoint. If successful, the account associated with the token will be compromised.

Remediation

Users can update to OpenML version 2.0.20251111, which addresses this vulnerability.