Earlier I found a valid bug in google but that doesn’t meet the bar for reward & I have to satisfy myself to be Enlisted in Honorable Mention only.
Then after few months, I was again searching for a bug to take a leap from Honorable Mention to Hall of Fame. I was searching in google main domains but no luck! then I started hunting on the google acquisition site.
I found a domain name waze.com & started searching for bugs. I didn’t find anything interesting than I took a break.
One day, I met a friend named Saugat Pokharel & discussed the vulnerabilities. He told me about Password Reset Link Leaked In Refer Header In Request To Third Party Sites bug. I thought of testing this bug in the domain where I was searching for the bug.
During the test I successfully detected this bug and reported it to google which would have not been possible without the help of Saugat Pokharel. So, thanks to him! ❤
Summary:-
Password Reset Link Leaked In Refer Header In Request To Third Party Sites
Steps To Reproduce:
- Go To https://www.waze.com/forgot_password?redirect=%2F&we_episode_id=1618203286605
- Enter Your Email And Click On send an email.
- Go To Email & Click on Password Reset Link
- On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
- You May Observe Full Password Reset Link Is Exposed To Third Party Sites.
Impact:-
Social Media Page Can Also Exploit like if they have enabled page analytics then they may see from where users are referring onto their page and from there they see that password reset link and can reset the password for the victim.
Google triaged my report after 12 days of initial report & finally rewarded me with Bounty $$$ also enlisted in Google Hall of Fame. That’s how I made it into the google hall of fame.
Timeline of the report:-
April 12, 2020: Initial report sent
April 12, 2020: Report Triaged
April 23, 2020: Bounty Rewarded $$$
May 21, 2020: Confirmation of fix
Proof of concept video file in a link below:-
This article credit goes to Akash Basnet
