Legal Robot: Token leakage by referrer header & analytics

2017-07-22T13:27:40
ID H1:252544
Type hackerone
Reporter myster
Modified 2017-07-30T06:11:17

Description

A security researcher discovered that sensitive information, like password reset tokens could still be leaked to analytics services like Google Analytics or via the Referer [sic] header. Even though tokens were immediately invalidated, we decided to re-engineer the process to eliminate any possibility of token leakage.