Pentester Nepal
Published in

Pentester Nepal

The journey from Google Honorable Mention to Hall of Fame.

Earlier I found a valid bug in google but that doesn’t meet the bar for reward & I have to satisfy myself to be Enlisted in Honorable Mention only.

Then after few months, I was again searching for a bug to take a leap from Honorable Mention to Hall of Fame. I was searching in google main domains but no luck! then I started hunting on the google acquisition site.

I found a domain name waze.com & started searching for bugs. I didn’t find anything interesting than I took a break.

One day, I met a friend named Saugat Pokharel & discussed the vulnerabilities. He told me about Password Reset Link Leaked In Refer Header In Request To Third Party Sites bug. I thought of testing this bug in the domain where I was searching for the bug.

During the test I successfully detected this bug and reported it to google which would have not been possible without the help of Saugat Pokharel. So, thanks to him! ❤

Reported From the link below:-

Summary:-

Password Reset Link Leaked In Refer Header In Request To Third Party Sites

Steps To Reproduce:
Step 1 — Go To https://www.waze.com/forgot_password?redirect=%2F&we_episode_id=1618203286605
Step 2 — Enter Your Email And Click On send an email.
Step 3 — Go To Email & Click on Password Reset Link
Step 4 — On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
Step 5 — You May Observe Full Password Reset Link Is Exposed To Third Party Sites.

Impact:-

Social Media Page Can Also Exploit like if they have enabled page analytics then they may see from where users are referring onto their page and from there they see that password reset link and can reset the password for the victim.

Google triaged my report after 12 days of initial report & finally rewarded me with Bounty $$$ also enlisted in Google Hall of Fame. That’s how I made it into the google hall of fame.

Reward email from google.
Enlisted in Google hall of fame

Timeline of the report:-

April 12, 2020: Initial report sent

April 12, 2020: Report Triaged

April 23, 2020: Bounty Rewarded $$$

May 21, 2020: Confirmation of fix

Proof of concept video file in a link below:-

https://www.youtube.com/watch?v=I311-Os8eDs

Thank you for taking the time to read my article, Have a nice day!

you can follow me on Facebook

Below is the coverage of this issue.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store