Critical CSRF vulnerability found on Glassdoor company review platform

The critical flaw impacted both job seeker and employer accounts on the web domain.

Open source: Planted vulnerabilities create big problems for developers

Glassdoor, a website for job hunting and posting anonymous company reviews, has resolved a critical issue that could be exploited to take over accounts. 

Bug bounty researcher "Tabahi" (ta8ahi) found the issue, described as a site-wide cross-site request forgery (CSRF) bug deserving of a 9 - 10 severity score. 

The vulnerability impacted the Glassdoor web domain. A token, gdToken, was in use to prevent CSRF from occurring on endpoints, and at first glance, it appeared to be a secure implementation. 

However, Tabahi's tests resulted in a fraudulent session request passing through CSRF checks -- a discovery made by accident, as the bug bounty hunter missed copying an underscore beginning a request attempt. 

This odd discovery led Tabahi to try and reproduce the result. Generating CSRF tokens from account "A," stripping the first character, and attempting to use it as the token for account "B" proved to be successful.

There are two types of Glassdoor accounts: one for job seekers and one for employers -- both of which use the same CSRF protection. 

See also: Remote code execution vulnerability uncovered in Starbucks mobile platform

The vulnerability allowed attackers to obtain a CSRF token from the firm's server to hijack accounts from logged-in victims. This could include establishing new administrators on employer accounts, deleting information on job seekers and employers, adding fake reviews, deleting CVs, as well as posting, applying for, and deleting job listings. 

Glassdoor's security team triaged the problem as a token length validation error, and exception handling issues were also present. According to Tabahi, "an exception was triggered with the forged tokens and they didn't fail the response, and in turn, just logged it and allowed the operation to continue."

The bug bounty hunter first reported their findings to Glassdoor via HackerOne in February. After a period of time to triage the bug, the vulnerability report was accepted as valid and a critical score was issued. Glassdoor patched the issue in the same month, but public disclosure was only made in December. 

Tabahi was awarded a bug bounty of $3,000 for reporting the CSRF vulnerability, including both a $2,500 financial reward from Glassdoor and a $500 bonus from HackerOne.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0