|Category:||Cross Domain Referer Leakage|
|Reporter:||Smit B. Shah & Nikhil Srivastava from Techdefence Labs|
On January 11, 2015 a security vulnerability was reported by Smit B. Shah and Nikhil Srivastava that caused password reset tokens to be forwarded to third-party social networks in the HTTP referrer header. The vulnerabilty would allow privileged users at those third-parties to gain access to user generated password reset tokens. A patch that resolved this bug was comitted on January 29th, 2015. The resolution of this issue was announced via the firstname.lastname@example.org list on January 30, 2015.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-2286 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Social sharing links in the footer of edX were present on the target page specified in password reset email. In the case that a user clicked the emailed link to reset their password and subsequently clicked one of the third-party Follow Us links in the edx footer, the HTTP Referrer header would contain the password reset token. This token would then be available either in logs or code running at the third-party.
The bug was introduced in this commit.
The bug was fixed in this commit.