Stripo Inc: Password token leak via Host header

2019-11-13T18:56:19
ID H1:737042
Type hackerone
Reporter aishkendle
Modified 2019-12-19T13:01:38

Description

Password token leak via Host header


Vulnerability Description:

Token will be leaked by the Server to that third party site and that token can be used by third parties to reset the password and take over the account & directly login in your account

Steps To Reproduce:

1) Send reset password link to your email address. 2)Now go to email, turn burp suite intercept on and click on reset password link. Check for the requests having the token in referrer and host as third party website. And copy the link 3)Now turn intercept off and reset the password.(with that link) 4)Now reset the password.

POC:

Images Uploaded

Impact

Impact

It allows the person who has control of particular site to change the user's password (CSRF attack), because this person knows reset password token of the user.