Legal Robot: User Information leak allows user to bypass email verification.

2016-08-26T02:48:11
ID H1:163467
Type hackerone
Reporter cablej
Modified 2016-09-12T18:47:08

Description

When a user is logged on, the following is sent:

██████

This contains some sensitive information, most notably the email token. A user can use this to bypass email verification and verify any email.

In addition, the hashed password is leaked, which could present a vulnerability if a user's account is compromised without compromising the password.