Twitter: CSRF and probable account takeover on https://www.niche.co

2019-02-10T10:17:27
ID H1:493535
Type hackerone
Reporter mik317
Modified 2019-02-28T00:07:06

Description

The researcher discovered that Niche’s CSRF protection was broken and that an attacker could trick a logged-in user into changing account information under the /account endpoint, including email address. This would not have enabled account takeover, however, since Niche does not handle account credentials independently of Twitter.