Password Reset Link Leaked In Refer Header In Request To Third Party Sites

The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior knowledge of user email address that is registered on our platform.