Posted By Charles Fol php mt_rand mt_srand predict seed bruteforce IntroductionWhile performing a pentest on an old website, we encountered a piece of code that we had not seen in a long time: function resetPassword($email) { [...] $superSecretToken = md5($email . ':' . mt_rand()); [...] $this->sendEmailWithResetToken($email, $superSecretToken); } A token, deemed secret and unguessable, was genera