Chaturbate: CSRF in cancel group and private show requests

ID H1:396338
Type hackerone
Reporter encrypt
Modified 2018-09-21T02:45:33


The hacker found that the private and group show cancel urls were not checking for CSRF headers. This issue was quickly resolved. I have found a CSRF vulnerability in chat room. When users cancel group shows for any chat room, a POST request is made to the server on this endpoint /tipping/group_show_cancel/broadcaster's_username/ and this request is CSRF protected. This CSRF protection can be bypassed by making a GET request to above endpoint and group show request will be cancelled.