The hacker found that the private and group show cancel urls were not checking for CSRF headers. This issue was quickly resolved. I have found a CSRF vulnerability in chat room. When users cancel group shows for any chat room, a POST request is made to the server on this endpoint /tipping/group_show_cancel/broadcaster's_username/ and this request is CSRF protected. This CSRF protection can be bypassed by making a GET request to above endpoint and group show request will be cancelled.