Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password reset token leaking to github #376

degeri opened this issue May 10, 2019 · 0 comments · Fixed by #377

Password reset token leaking to github #376

degeri opened this issue May 10, 2019 · 0 comments · Fixed by #377


Copy link

@degeri degeri commented May 10, 2019

While on the reset password page if the user clicks on the "The source code is available at GitHub" button the request to leaks the full URL in the referrer. This is benign in most cases. But in this page it exposes the secret password reset link.

This has a very low impact:

  1. It is leaking to, the chances of an attack from is small.

  2. Requires the user to do an unlikely action.

  3. The reset link will expire in an hour or after the user resets the password.

  4. With the reset link an attacker will not be able to determine the user's email ID.


This vulnerability has been reported through the Bug bounty program

@degeri degeri mentioned this issue May 10, 2019
@dajohi dajohi closed this in #377 May 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant