@SonarResearch Reminds me of a slightly different exploitable bug in #Gambio's password reset which I had discovered (probably not been the first one).

They used mt_srand with only 1000000 possible seeds based on time to generate the password reset token. Might have been possible to predict it based on time (did not work out so well) or brute-force it with educated guesses (noisy, slow), but the code did worse:

When sending the token it generated a captcha which was based on the same #PRNG sequence. Requesting the captcha manually, one could solve it offline to find the PRNG seed which was also used to generate the password reset token.

This wasn't the 90's, but I saw it still in use in 2020. Later versions fixed this in different ways, for example by using a stronger RNG without using a bad seed.

#Google_Fonts
#lokal_einbinden

Google Fonts Abmahnwelle! Schützen Sie sich mit einer Anleitung zur lokalen Einbindung
von Thomas Josef Zieba
(mit Links zur Einbindung über #Shopware, #Wordpress, #Wix, #Gambio, #Jimdo)

https://legal.trustedshops.com/blog/google-fonts-abmahnwelle-schuetzen-sie-sich-mit-einer-anleitung-zur-lokalen-einbindung