Home Cyber Security News Critical CSRF Vulnerability Found In Glassdoor Platform

Critical CSRF Vulnerability Found In Glassdoor Platform

by Abeerah Hashim
Glassdoor CSRF vulnerability

A serious security vulnerability affected the popular job and business review platform Glassdoor. The researcher found a CSRF vulnerability in the Glassdoor website that threatened the account security of users.

Glassdoor CSRF Vulnerability

A security researcher with the alias ‘Tabahi’ discovered a critical CSRF (cross-site request forgery) vulnerability affecting the website Glassdoor.com.

Explaining his findings in a blog post, he stated that he found Glassdoor to have applied session tied access tokens. Hence, at first, he failed to request access for cross accounts.

However, after multiple attempts, he eventually succeeded. That made him notice that skipping the first character of the token could allow the CSRF bypass.

This vulnerability worked on both employers’ and job seekers’ accounts on Glassdoor. As stated in the post,

Both use the same kind of implementation to prevent CSRF, the bypass worked for both, and I had CSRF on all endpoints of both the Job Seeker and Employer accounts. This could lead to full account takeover by exploiting functionalities like inviting attacker E-mail with admin access to employer accounts.

Digging up the matter further revealed the exact cause behind the vulnerability. He found that the problem existed with the length validation of the token by the server. Any token with a length not equal to 153 characters would be considered valid.

Glassdoor security team identified it as an exception validation issue, that, according to the researcher,

An exception was triggered with the forged tokens and they didn’t fail the response and in turn just logged it and allowed the operation to continue.

The following video demonstrates the exploit.

Glassdoor Fixed The Flaw

Upon finding the vulnerability, the researcher reached out to Glassdoor via their bug bounty program on HackerOne. As evident from the bug report, the researcher reported the bug earlier this year (February 2020).

Glassdoor labeled this one as a critical severity bug for which, they awarded the researcher with a $3000 bounty.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid