[popol12]

Let's say I have a string S.

MD5(MD5(S)) = Y

Now, I find a collision string SS (of length 128 bits, like an MD5 hash), where MD5(SS) == Y

Then I find a collision string SSS (this time, length doesn't matter), where MD5(SSS) == SS

Then we have MD5(MD5(SSS)) == Y, which was only twice harder than finding a single MD5 collision.

Could someone explain what is wrong with my reasoning ?

Edit: Oh okay, got it, when we say "MD5 is broken, it's possible to do a collision attack", what we mean is that we can easily find 2 strings S1 and S2 where MD5(S1) == MD5(S2) But S1 and S2 and found randomly, we don't have a way to find a string S3 where MD5(S3) == Y for any Y value (that is what we call a pre-image attack, not a collision attack)