Legal Robot: Token leakage by referrer header & analytics

ID H1:252544
Type hackerone
Reporter myster
Modified 2017-07-30T06:11:17


A security researcher discovered that sensitive information, like password reset tokens could still be leaked to analytics services like Google Analytics or via the Referer [sic] header. Even though tokens were immediately invalidated, we decided to re-engineer the process to eliminate any possibility of token leakage.