TOYOTA’s Password reset token and Email Address leak via Referer header
1 min readFeb 27, 2019
Description:
It has been identified that the application is leaking referrer code. In this case it was found that the password reset code is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.
Steps To Reproduce:-
1.) Request a password reset link for a valid account: By clicking forgot password here:
https://www.toyota.com/owners/sign-in-help2.) Install Live HTTP Header tool addons on Firefox.
3.) Open your Indox Mail and open Live HTTP Header addon
4.) Capture the request
5.) Before resetting the password click on the password reset link
6.) You will notice the following request in your tool.
List of Request leaking on Referer:
A.)
GET https://621119.fls.doubleclick.net/activityi;src=621119;type=parts195;cat=traffic;dc_lat=;dc_rdid=;ord=1;num=6881027890976;~oref=https%3A%2F%2Fwww.toyota.com%2Fowners%2Fsign-in-help%3Ftoken%3DJAQBae3V-Zrl-Zf-rdgqnH3DQCLzzLoBClOpDZFMj-V7o8ttLl%252BuY9VUYCegbJzcBktx7hKeXnoltK0AqCvGHEMVclggM7Uz8YbFm5yc0U4_%26source%3Dadmin%26siteid%3Ddmg_toyotacy17signinhelptroublesignin_020718_resetpassword_body%26%26et_cid%3D3453143%26et_rid%3Drubiojhayz1234%40gmail.com HTTP/1.1 Host: 621119.fls.doubleclick.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.toyota.com/owners/sign-in-help?token=JAQBae3V-Zrl-Zf-rdgqnH3DQCLzzLoBClOpDZFMj-V7o8ttLl%2BuY9VUYCegbJzcBktx7hKeXnoltK0AqCvGHEMVclggM7Uz8YbFm5yc0U4_&source=admin&siteid=dmg_toyotacy17signinhelptroublesignin_020718_resetpassword_body&&et_cid=3453143&et_rid=rubiojhayz1234@gmail.com
B.)
GET https://tags.bluekai.com/site/50842?limit=1&phint=d4a%3D1 HTTP/1.1 Host: tags.bluekai.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.toyota.com/owners/sign-in-help?token=JAQBae3V-Zrl-Zf-rdgqnH3DQCLzzLoBClOpDZFMj-V7o8ttLl%2BuY9VUYCegbJzcBktx7hKeXnoltK0AqCvGHEMVclggM7Uz8YbFm5yc0U4_&source=admin&siteid=dmg_toyotacy17signinhelptroublesignin_020718_resetpassword_body&&et_cid=3453143&et_rid=rubiojhayz1234@gmail.com
Impact:
Password Reset Token and Email Address Leaking to Third Party Sites
