My First Valid Bug In Hackerone

RECON:

  1. Vulnerable
  2. Http Error
  3. Not Vulnerable

MANUAL TESTING:

STEPS FOLLOWED TO REPRODUCE:

  1. Clicked on any social media links and intercepted the request.
  2. Observed the Refer header.
  3. I can clearly see the complete password reset token being leaked to 3rd party sites.
Reset password token leaked

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Vulnhub Writeup-Tommy Boy: 1

Scure Wallet Airdrop 2nd 🎁

GDPR / HSS Inspired Data Liquidity & Future Of Privacy

On-chain analysts called attention to an 80,000 ether (ETH) transaction from Wormhole to an address…

New anti-stalking firmware update for the Apple AirTags — iOS 14.5

HNT Mining-A World of Hotspots

Catastrophic Attack and “Reasonable Probability”

Massive $30,000 Airdrop by GameFi projects on BSC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tridev Reddy

Tridev Reddy

More from Medium

Mongoose

Project 3

Terrell Lawrence — — Blog Post 1: Media Consumption

CS373 Spring 2022: Samson Broten, Blog 5