Severity - (Medium 4 - 6.9)
Weakness - Violation of Secure Design Principles
Description
It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.
Steps To Reproduce:-
- Request a password reset link for a valid account
- Click on the reset link
- Before resetting the password click on the twitter/Facebook or any link footer section
- You will notice the following request in burpsuit
REQUEST:
GET /tidepool_org HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://app.tidepool.org/confirm-password-reset?resetKey=HT1JWC9WiPcablF9qMvpYFjG5lcpaoEz
Upgrade-Insecure-Requests: 1
As you can see in the referrer the reset token is getting leaked to third party sites. So, the person who has complete control over that particular third party site can compromise the user accounts easily.
Severity - (Medium 4 - 6.9)
Weakness - Violation of Secure Design Principles
Description
It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.
Steps To Reproduce:-
REQUEST:
GET /tidepool_org HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://app.tidepool.org/confirm-password-reset?resetKey=HT1JWC9WiPcablF9qMvpYFjG5lcpaoEz
Upgrade-Insecure-Requests: 1
As you can see in the referrer the reset token is getting leaked to third party sites. So, the person who has complete control over that particular third party site can compromise the user accounts easily.
