Glassdoor, a web-site for work hunting and submitting nameless organization reviews, has settled a vital problem that could be exploited to take in excess of accounts. 

Bug bounty researcher “Tabahi” (ta8ahi) found the issue, explained as a internet site-vast cross-web-site ask for forgery (CSRF) bug deserving of a 9 – 10 severity score. 

The vulnerability impacted the Glassdoor world-wide-web domain. A token, gdToken, was in use to prevent CSRF from taking place on endpoints, and at initially glance, it appeared to be a safe implementation. 

Nevertheless, Tabahi’s assessments resulted in a fraudulent session request passing by way of CSRF checks — a discovery produced by accident, as the bug bounty hunter missed copying an underscore beginning a request try. 

This odd discovery led Tabahi to attempt and reproduce the end result. Generating CSRF tokens from account “A,” stripping the initially character, and trying to use it as the token for account “B” proved to be prosperous.

There are two forms of Glassdoor accounts: one particular for work seekers and just one for companies — equally of which use the same CSRF security. 

See also: Distant code execution vulnerability uncovered in Starbucks mobile system

The vulnerability permitted attackers to get hold of a CSRF token from the firm’s server to hijack accounts from logged-in victims. This could incorporate creating new administrators on employer accounts, deleting information on job seekers and employers, including fake assessments, deleting CVs, as well as posting, applying for, and deleting career listings. 

Glassdoor’s stability staff triaged the issue as a token length validation error, and exception dealing with issues were also present. According to Tabahi, “an exception was induced with the cast tokens and they didn’t fall short the reaction, and in change, just logged it and authorized the procedure to carry on.”

The bug bounty hunter very first described their results to Glassdoor by means of HackerOne in February. Right after a period of time of time to triage the bug, the vulnerability report was recognized as valid and a essential score was issued. Glassdoor patched the problem in the similar thirty day period, but community disclosure was only built in December. 

Tabahi was awarded a bug bounty of $3,000 for reporting the CSRF vulnerability, like both equally a $2,500 economical reward from Glassdoor and a $500 reward from HackerOne.

Prior and linked coverage


Have a suggestion? Get in touch securely by means of WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0