itBit Exchange: Leakage of sensitive wallet tokens to third party sites

2015-02-08T22:24:00
ID H1:47140
Type hackerone
Reporter shahmeer-amir
Modified 2015-03-28T20:04:45

Description

Hello Itbit team This is Shahmeer and i am reporting a very critical issue in which the wallet tokens such as the one below are being leaked to third party websites https://beta.itbit.com/trading-history/402bd136-be8f-45e2-89ea-46e3283f8118

The above listed URL contains the wallet token that is unique and sensitive information which must be kept secret and hidden from third party and otherwise could be misused

But these links are being leaked in referrers to third party sites and even on http sometimes To reproduce Visit the trading history or buying and selling where you have the wallet id located in the URI Scroll down and go to any of the four links that is github linked in etc You will observe that the links are being disclosed in referrers to these sites. Now security is as strong as it's weakest endpoint. So i think that you should fix this ASAP