Activation Link Vulnerability


Nowadays, hacking and cracking is simple. I have even  found this vulnerability in well-ranked websites. I would like to expose that vulnerability here so that you all will be aware of this.


Understanding of cryptography and hashing algorithms.

I will explain how to find the vulnerability and bypass it.


Let's consider a website,

The website will usually send an activation link to the mail id which you had entered in the registration form.

Activation Link Vulnerability


Login to your mail and check for the activation link. Only after clicking that activation link will the account be verified.

The website may have used the hash of your emailid or mobilenumber or any of your information you filled in the registration form for the activation link.

First, note down the activation link that has been sent to you. In my case, the activation link was as follows:


Here, we have to identify which information (datas entered in the registration form) is used for hashing and which hash algorithm is used in the activation link.

In my case, I have used the email as information for demonstration.

Mail id -- [email protected]

I will tell you how to find the hash in an easy way. There are many websites that generate hashes -- I  recommend

Activation Link Vulnerability

So, from all the hashes generated for [email protected], compare the hash generated with the hash in the activation link.

Now, you can find that the SHA-512 matches them (the site may have used any of the hashing algorithms, so for finding which hashing is used, first test with your very own mailid).


****Activation link exposed *****

Finally, we came to know that the activation link hashes used SHA-512 and emailid as information.

Then the activation link for any of the email id will be as follows: hash of emailid)


By using this vulnerability anyone can gain access for activating the account. So, every activation link has to be salted (In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. Salts are used to safeguard passwords in storage.).


Most of the sites use salted tokens nowadays. So this method of bypassing will not work out in most of the well-maintained websites .

Similar Articles