A serious security vulnerability affected the popular job and business review platform Glassdoor. The researcher found a CSRF vulnerability in the Glassdoor website that threatened the account security of users.
Glassdoor CSRF Vulnerability
A security researcher with the alias ‘Tabahi’ discovered a critical CSRF (cross-site request forgery) vulnerability affecting the website Glassdoor.com.
Explaining his findings in a blog post, he stated that he found Glassdoor to have applied session tied access tokens. Hence, at first, he failed to request access for cross accounts.
However, after multiple attempts, he eventually succeeded. That made him notice that skipping the first character of the token could allow the CSRF bypass.
This vulnerability worked on both employers’ and job seekers’ accounts on Glassdoor. As stated in the post,
Both use the same kind of implementation to prevent CSRF, the bypass worked for both, and I had CSRF on all endpoints of both the Job Seeker and Employer accounts. This could lead to full account takeover by exploiting functionalities like inviting attacker E-mail with admin access to employer accounts.
Digging up the matter further revealed the exact cause behind the vulnerability. He found that the problem existed with the length validation of the token by the server. Any token with a length not equal to 153 characters would be considered valid.
Glassdoor security team identified it as an exception validation issue, that, according to the researcher,
An exception was triggered with the forged tokens and they didn’t fail the response and in turn just logged it and allowed the operation to continue.
The following video demonstrates the exploit.
Glassdoor Fixed The Flaw
Upon finding the vulnerability, the researcher reached out to Glassdoor via their bug bounty program on HackerOne. As evident from the bug report, the researcher reported the bug earlier this year (February 2020).
Glassdoor labeled this one as a critical severity bug for which, they awarded the researcher with a $3000 bounty.