Twitter: CSRF and probable account takeover on

ID H1:493535
Type hackerone
Reporter mik317
Modified 2019-02-28T00:07:06


The researcher discovered that Niche’s CSRF protection was broken and that an attacker could trick a logged-in user into changing account information under the /account endpoint, including email address. This would not have enabled account takeover, however, since Niche does not handle account credentials independently of Twitter.