Edit: OOPS I MISSED THE LAST SOME POSTS SOMEHOW. As i read the function secureReferrer($referrer) it tries to match the $referrer - in our case the value of $back - to a complete URL of the shop:
preg_match('/^http?:\/\/'.Tools::getServerName().'(:'._PS_SSL_PORT_.')?\/.*$/Ui', $referrer)
In my case a direct link to the referralprogram module in my-account creates a back=/module/referralprogram/program which will never match