Legal Robot: User Information leak allows user to bypass email verification.

ID H1:163467
Type hackerone
Reporter cablej
Modified 2016-09-12T18:47:08


When a user is logged on, the following is sent:


This contains some sensitive information, most notably the email token. A user can use this to bypass email verification and verify any email.

In addition, the hashed password is leaked, which could present a vulnerability if a user's account is compromised without compromising the password.