Legal Robot: Update any profile

2017-08-16T02:36:44
ID H1:260604
Type hackerone
Reporter samczsun
Modified 2017-08-16T04:41:52

Description

A security researcher discovered that profile fields (first name, last name, title, company, bio) could be modified by another authenticated user, if the other user had access to the victim's randomly generated user id. Thanks to @samczsun for an excellent and detailed report!