Mavenlink: Password reset link injection allows redirect to malicious URL

2017-10-21T22:48:39
ID H1:281575
Type hackerone
Reporter cablej
Modified 2017-12-13T18:53:34

Description

@cablej found a vulnerability in our password reset functionality that allowed an attacker using an HTTP request with a modified Host header to cause a password reset link to be emailed to the target user that would navigate to the attacker's domain. Because the password reset emails are sent from the Mavenlink email infrastructure, this email, while unexpected by the user, could appear to be legitimate. As a result the user's account could be compromised if they were convinced to enter their login details on the attacker's website. Modifying the Host header in Mavenlink's password reset functionality would inject an attacker's link into the password reset email. When clicked, this would send the password reset token to the attacker's server, allowing for the attacker to reset the target's password.

Blog post: https://lightningsecurity.io/blog/host-header-injection/

Thanks to Mavenlink for the quick response and bounty!