##Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logged into the correct account, where in reality, the victim is signed into the attacker's account where the changes are visible to the attacker ##Steps to reproduce: 1-Login as Victim 2-Now as Attacker Go to Login page give attacker's email and an Account confirmation link will send to the attacker's email 3-Extract the value of id, Key and Token from the confirmation link and replace it in HTML File (POC) 4-Send the script to the Victim to make them click then Victim now logged in to the attacker's account (After some time victim account gets logged out without any warning) Note: The victim may add sensitive payment information to the attacker's new account and also Attacker can now see all activities of the victim including all sensitive information that the victim supplied to the account. ##Proof of concept: (video) {F1228371} ##Remediation: 1)When clicking on a signing link while you're already logged in, show a message like "You're already logged in as xxx. Do you want to sign in as yyy instead? 2)Limit CSRF tokens per IP, by including them in the token's payloads ## Impact 1)The victim may add sensitive payment information to the attacker's new account {F1228368} 2)Log any victim into the attacker account, the attacker can create a similar account profile as the victim - with some information missing, and then social-engineering (e.g. email) user to provide personal information or current password and can also monitor the victim activities. 3)The victim may add Personal Information and Organization Information to the attacker's new account {F1228369}

Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/