Zaption: Using GET method for account login with CSRF token leaking to external sites Via Referer.

2015-07-19T10:35:01
ID H1:76733
Type hackerone
Reporter bugs3ra
Modified 2016-05-02T19:08:58

Description

HI

At the time of login, the values are present in URL along with the CSRF token. Also this URL is leaking to external sites in HTTP REFRERER.

Here are some of those sites: dxzc9stvaxhhy.cloudfront.net bam.nr-data.net ssl.google-analytics.com usage.trackjs.com api.mixpanel.com