Researcher bypassed security defenses to edit jobseeker profiles, amend employer accounts, and more
A security researcher has earned a $3,000 bug bounty by achieving site-wide cross-site request forgery (CSRF) on job-hunting website Glassdoor.
By exploiting the vulnerability, attackers could take control of jobseeker profiles – enabling them to edit their profile, add or delete CVs, apply for jobs, or add reviews – and employer accounts, in which they could post or delete jobs.
Taking the exploit one step further, an attacker had the potential to gain administrative privileges over a company’s Glassdoor account, although this would require some degree of social engineering, where the victim is lured into clicking a malicious link, ‘Tabahi’, who discovered the flaw, told The Daily Swig.
The Indian researcher demonstrated the potential impact of the vulnerability to Glassdoor by seizing control of a jobseeker account, changing the name, and adding fictional job experience entries.
The latest of numerous bugs unearthed by Tabahi on Glassdoor.com, the find netted him a $500 bonus on top of the maximum $2,500 reward for critical vulnerabilities under Glassdoor’s public bug bounty program.
Bypassing the mechanism
Glassdoor’s anti-CSRF mechanism deployed a ‘gdToken’ to prevent CSRF across all endpoints, which initially “looked like a secure implementation”, said Tabahi in a blog post that also features a proof-of-concept video demonstrating the exploit.
Undeterred, he “generated random tokens from an account and tried to use them for someone else’s session”.
All but one of the tokens were identified as “session tied, and requests failed for cross accounts”. The token that circumvented this check did so “because while copying the token”, Tabahi omitted the token’s first character, an underscore (_).
The researcher successfully reproduced this “strange” behavior by generating “a CSRF token from account A, stripped off the first character and” used “it as the CSRF token for account B”.
After validating the forged token’s format, server checks on whether it was session tied triggered an exception when the token was of invalid length – anything other than 153 characters.
However, the server mishandled this exception, treating the token as valid “for the current session”.
Closing the (Glass)door
Tabahi told The Daily Swig that he successfully reproduced the vulnerability on the latest versions of the Firefox and Chrome browsers.
He reported the flaw to Glassdoor on February 7 and a fix, along with the researcher’s payment, was issued before the month was out.
Thanks to the update, if forged tokens trigger the exception, a HTTP 403 is now generated to block access to the requested resource.