Password Reset Token Leak Via Referrer

Shrey Shah (Jerry)
Jan 22 · 2 min read

Summary :

I found this vulnerability in a responsible disclosure program and I was rewarded with Hall Of Fame.

What is referrer ?

The HTTP referrer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed.

Why this is a vulnerability ?

It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.

For example : There is a site name www.mydomain.com which has the password reset functionality. User A resets the password using that functionality. Now that request has the referrer header which contains a link of another webpage with the password reset token. Now that owner can use that token to compromise the victim’s account.

How to find this vulnerability ?

  1. Go to any website that has password reset functionality
Password reset page

2. Add your email and click on send. It will send the password reset link to your email

Requested Password reset

3. Now open your email and click on that link to change the password

Reset Password Email

4. You’ll find you’re password reset token in the URL and you can see the third party app on the bottom of the page.

Password reset token and third party app

5. Now click on any of the app (twitter, facebook, linkedin) given on the webpage and intercept the request using burp suite

Token leakage via referrer

6. You’ll see that your token is leaking via referrer to third party

Thank You :)

Instagram : jerry._.3

Related reads

Related reads