How i HACKED admin account via password reset IDOR function of one private currency exchanger site

Sorry for my bad english and grammar :D :D

One day i was searching a site for hunting and i got one site and i start to testing and first day i didn’t get anything and i was not able to make account in site but in next day i create one new account for me without verification and i am thinking about how can i hack anyone user account and in my mind one idea was came and i start to test and that idea is password reset and i put my email in forgot password and i clicked on sent password reset email and finally i got email like this

https://site.com/password.php?email=myemail@email.com?hash=snogvF1iLmWfvg35w5udzOSGrjREQLYAW60DwAYhezR1l

and first i tried to understand the hash and later i didn’t know about hash and again i sent password email email to my account and i got same email and same hash and i felt shocked :D :o
and again i sent password reset email to my email account and again i got same email and i feel little bit happy because there is same hash for every password reset email and i tried for anoter account and i got same hash this means there is same hash for every account and at last i tried this

https://site.com/password.php?email=admin@email.com?hash=snogvF1iLmWfvg35w5udzOSGrjREQLYAW60DwAYhezR1l

and i saw two box

New Password:-

Confirm Password:-

and i enter password and i tried to open there account and at last i can open admin account as well as everyone account

Bug Status:-patched

Bounty:- still no bounty and reply but patched :)

#Happy_Hacking