Chaturbate: CSRF in cancel group and private show requests

2018-08-17T03:34:54
ID H1:396338
Type hackerone
Reporter encrypt
Modified 2018-09-21T02:45:33

Description

The hacker found that the private and group show cancel urls were not checking for CSRF headers. This issue was quickly resolved. I have found a CSRF vulnerability in chat room. When users cancel group shows for any chat room, a POST request is made to the server on this endpoint /tipping/group_show_cancel/broadcaster's_username/ and this request is CSRF protected. This CSRF protection can be bypassed by making a GET request to above endpoint and group show request will be cancelled.