2

quoting from Referer header: privacy and security concerns

For example, consider a "reset password" page with a social media link in a footer. If the link was followed, depending on how information was shared the social media site may receive the reset password URL and may still be able to use the shared information, potentially compromising a user's security.

I would like to ask what is the security concern in such case? If I would click on the social media link as described above, the social media site would receive only(?) the link for the password reset link but there shouldn't be any sensitive information like username or password since I did not provided them in the form or is the above scenario addressing a case when I'm already authenticated and access the password reset link and it "somehow" reveal for example my personal information ?

Could someone please explain or at least provide some information for further reading ?

Thanks a lot !

Community
  • 1
user211245
  • 79
  • 3

1 Answers1

3

Consider a case where a site implements a password reset procedure as follows: The user id and current timestamp are encrypted using symmetric encryption with a key known only to the server, then this encrypted value is embedded in a URL (i.e. the 'password reset link') that is emailed to the email address on file for the user. When the user clicks the password reset link, the server then decrypts the encrypted user id + timestamp in the password reset link to determine the user that the link was created for, and when the link was created. Then, the server can 1) verify that the user was in fact able to receive the email sent to the email address on file, and the server can 2) calculate the amount of time that lapsed between the time that the link was generated and the time that the user clicked the link. If this amount of time is with an acceptable tolerance (e.g. 30 minutes or less), then the server assumes that the password reset request is valid, and proceeds to let the user change the password.

Now, in the scenario that you reference in your question where the HTTP referrer is leaked, let's assume that the user clicks the password reset link sent in the password reset email, then before completing the password reset process, the user gets distracted and clicks on a social media link at the bottom of the page. Then, the password reset link is now passed to the social media site as the HTTP Referrer. The social media site can now access access the password reset link, and proceed to change the user's password, as if they were the user. Then, they can proceed to access the user's account.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Thank you for such nice explanation. Could you please tell me how is the timestamp embedded in the URL ? – user211245 Dec 15 '19 at 14:55
  • 1
    The password reset link might be something like this: https://hostname.domain.tld/path/to/passwordresetform?xxxxx, where xxxxx is AES(userid + timestamp, key). – mti2935 Dec 15 '19 at 16:14
  • Sorry for the late reply but I need to ask. The social media link you are referring is embedded in the one time password page for the password reset ? So someone clicks on the password reset link sent via mail, the page loads and it has a link to say Facebook at the bottom, correct? – user211245 Dec 17 '19 at 06:26
  • 1
    user211245, yes that's correct. – mti2935 Dec 17 '19 at 10:20