Glassdoor Account Take-Over CSRF VulnerabilityAbout GlassdoorProof of Concept (PoC)Video of the PoC
Mohamed while researching the Glassdoor website found that it is vulnerable to critical account hijacking via CSRF flaw. Mohamed says that a potential hacker can take over the website via account takeover and use it to deface the Glassdoor website as well as add new content which can lead them to a new page laden with malware. The hackers can also any details in user account settings and this is the most critical point in this article so you can change user password ,change user e-mail and this can be done via just one-click malicious URL.
About Glassdoor
Glassdoor is an American website where employees and former employees anonymously review companies and their management. Last year almost 500,000 companies were reviews by various anonymous reviewers on Glassdoor. Glassdoor was launched in 2008 and its ratings of CEOs and workplaces based on collating these reviews are widely reported and regarded as a benchmarking tool for job offers.
Proof of Concept (PoC)
Video of the PoC
Mohamed has also put up a video detail the vulnerabilities in Glassdoor, which you can see below
Mohamed specializes in jobs websites because they are the once which are visited by millions of job seekers across the world every day. Most the vulnerabilities found by Mohamed have been accepted by the companies and they have paid him bug bounty aware but unfortunately, Glassdoor has not acknowledged the above vulnerability as of yet. Resource : Mohamed M. Fouad’s Blog