Glassdoor, a platform for posting anonymous company reviews and job hunting, has recently fixed a critical issue that could have been exploited by bad actors to take over accounts.
The bug bounty researcher “Tabahi (https://twitter.com/_tabahi) ” discovered the vulnerability and described it as a site-wide cross-site request forgery (CSRF) bug with an estimated severity score of 9 – 10. A token, gdToken, was in use on the Glassdoors website to prevent CSRF from occurring on endpoints, and to an untrained eye, it could have been thought to be a secure implementation.
