Password Reset Token Leak Via Referrer
Summary :
I found this vulnerability in a responsible disclosure program and I was rewarded with Hall Of Fame.
What is referrer ?
The HTTP referrer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed.
Why this is a vulnerability ?
It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.
For example : There is a site name www.mydomain.com which has the password reset functionality. User A resets the password using that functionality. Now that request has the referrer header which contains a link of another webpage with the password reset token. Now that owner can use that token to compromise the victim’s account.
How to find this vulnerability ?
- Go to any website that has password reset functionality
2. Add your email and click on send. It will send the password reset link to your email
3. Now open your email and click on that link to change the password
4. You’ll find you’re password reset token in the URL and you can see the third party app on the bottom of the page.
5. Now click on any of the app (twitter, facebook, linkedin) given on the webpage and intercept the request using burp suite
6. You’ll see that your token is leaking via referrer to third party
Thank You :)
Instagram : jerry._.3
