A security expert has procured a bug bounty of $3,000 by accomplishing a webpage wide Cross-Site Request Forgery (CSRF) on employment site Glassdoor.
Security researcher circumvents the security defences to alter jobseeker profiles, change manager records, and that’s just the beginning…
By misusing the said vulnerability, hackers could control the jobseeker profiles – empowering them to alter their profile, add or erase CVs, apply for positions, or add surveys – and records of the employer, in which they could post or erase occupations as well.
Making it one stride further, any hacker could pick up authoritative or administrative advantages over an organization’s Glassdoor account, despite the fact that this would require some level of social designing, where the user or victim is tricked into clicking a malevolent link, ‘Tabahi’, as said by the specialist.
The Indian expert displayed the normal effect of the said vulnerability to Glassdoor by taking control of a jobseeker account, changing the name, and adding episodic entries of expert training.
The latest of numerous bugs unearthed by Tabahi on Glassdoor.com, the find netted him a $500 bonus on top of the maximum $2,500 reward for critical vulnerabilities under Glassdoor’s public bug bounty program.
Undeterred, he “generated random tokens from an account and tried to use them for someone else’s session”.
Bypassing the component
Glassdoor’s anti-CSRF component conveyed a ‘gdToken’ to forestall CSRF over all endpoints, which at first “appeared as though a secure execution “, said Tabahi in a blog entry that additionally includes a proof-of-idea video exhibiting the endeavour.
Resolute, he “produced irregular tokens from a record and attempted to utilize them for a session that was another person’s”.
Everything except one of the tokens was recognized as “session tied, and requests fizzled for cross records”. The token that bypassed this check did so “on the grounds that while duplicating the token”, Tabahi discarded the symbolic’s first character which was an underscore (_).
The analyst effectively repeated this “unusual” conduct by producing “a CSRF token from account A, stripped the principal character and” utilized “it as the CSRF token for account B”.
In the wake of approving the token’s format that was forged, the server keeps an eye on whether it was session-tied set off an exemption when the token was of invalid length – something besides 153 characters.
Nonetheless, the server misused this special case, regarding the token as legitimate “for the current session”.
Shutting the (Glass)door
Tabahi revealed that he effectively replicated the vulnerability on the most recent versions of the Firefox and Chrome browsing programs.
He announced the said vulnerability to Glassdoor on February 7 and a fix, alongside the specialist’s installment or reimbursement was given before the month was out.
On account of the update, whenever the forged tokens trigger the special case, an HTTP 403 is presently produced to impede admittance to the mentioned asset.