A critical flaw resolved in Glassdoor which could be exploited to take over accounts.
Critical Flaw in Glassdoor:
Glassdoor, a website where current and former employees anonymously review companies.
The bug bounty hunter Tabahi rewarded under Glassdoor’s public bug bounty program for finding the CSRF(Cross-Site Request Forgery) protection of the app failed.
However, the bug deserving of a 9 – 10 severity score. By exploiting the vulnerability, attackers could take control of jobseeker profiles – enabling them to edit their profile, add or delete CVs, apply for jobs, or add reviews – and employer accounts, in which they could post or delete jobs.
In addition, an attacker had the potential to gain administrative privileges over a company’s Glassdoor account.
There are two types of Glassdoor accounts: one for job seekers and one for employers.
On the other hand, both of which use the same CSRF protection.
One of the tokens identified as “session tied, and requests failed for cross accounts”, in his write-up.
Followingly, The token that circumvented this check did so “because while copying the token”, Tabahi omitted the token’s first character, an underscore (_).
By generating CSRF tokens from account “A,” stripping the first character, and attempting to use it as the token for account “B” proved to be successful.
Most importantly, the bug hunter explained the impact of the critical vulnerability:
Above all, Tabahi rewarded with a bug bounty of
- $3,000 for reporting the CSRF vulnerability,
- including both a $2,500 financial reward from Glassdoor and
- a $500 bonus from HackerOne.