Password Reset Token Leak Via Referrer

Summary :

I found this vulnerability in a responsible disclosure program and I was rewarded with Hall Of Fame.

What is referrer ?

The HTTP referrer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed.

Why this is a vulnerability ?

It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.

For example : There is a site name which has the password reset functionality. User A resets the password using that functionality. Now that request has the referrer header which contains a link of another webpage with the password reset token. Now that owner can use that token to compromise the victim’s account.

How to find this vulnerability ?

  1. Go to any website that has password reset functionality
Image for post
Image for post
Password reset page

2. Add your email and click on send. It will send the password reset link to your email

Image for post
Image for post
Requested Password reset

3. Now open your email and click on that link to change the password

Image for post
Image for post
Reset Password Email

4. You’ll find you’re password reset token in the URL and you can see the third party app on the bottom of the page.

Image for post
Image for post
Password reset token and third party app

5. Now click on any of the app (twitter, facebook, linkedin) given on the webpage and intercept the request using burp suite

Image for post
Image for post
Token leakage via referrer

6. You’ll see that your token is leaking via referrer to third party

Thank You :)

Instagram : jerry._.3

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store