Blockstack: Cross site request forgery

ID H1:269196
Type hackerone
Reporter firestone
Modified 2018-01-10T14:23:59


An e-mail signup form does not check CSRF tokens. This would allow the creation of click-able links which perform an e-mail signup. Because the e-mail signup form does not pass any sensitive information, nor perform any state changes on behalf of a user, this is not a vector for attack.