ID H1:547 Type hackerone Reporter andrisatteka Modified 2014-01-13T16:42:18
Description
1) Attacker creates a fake account and changes e-mail
2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.
{"hash": "c5fb4dbaf553dd829965f47d907b8fc777dd572a43d17cef7a33dbe8b3bd826a", "bounty": 100.0, "id": "H1:547", "lastseen": "2018-04-19T17:34:11", "viewCount": 26, "hashmap": [{"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "88714e576f5e90202717d153e29e43f9", "key": "h1reporter"}, {"hash": "d2aee34aad3e3d5c63e5e0039b45c292", "key": "h1team"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fc972247068a891f195aba92e81aa2b9", "key": "modified"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}], "bulletinFamily": "bugbounty", "bountyState": "resolved", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 5, "enchantments": {"vulnersScore": 5.0}, "type": "hackerone", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "h1reporter": {"hacker_mediation": false, "username": "andrisatteka", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/andrisatteka", "is_me?": false}, "title": "HackerOne: CSRF login", "history": [{"bulletin": {"enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/", "modified": "2018-02-07T16:58:00"}}, "bounty": 100.0, "edition": 4, "lastseen": "2018-02-07T16:58:00", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "hashmap": [{"hash": "fc972247068a891f195aba92e81aa2b9", "key": "modified"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "88714e576f5e90202717d153e29e43f9", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:547", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "andrisatteka", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/andrisatteka", "is_me?": false}, "title": "HackerOne: CSRF login", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 26, "published": "2014-01-03T11:22:33", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}, "url": "https://hackerone.com/security", "handle": "security"}, "references": [], "hash": "76b6cdee288921b32948505d6acbf9c2bb705738599170e5bbeead0d29571292", "reporter": "andrisatteka", "modified": "2014-01-13T16:42:18", "href": "https://hackerone.com/reports/547"}, "lastseen": "2018-02-07T16:58:00", "edition": 4, "differentElements": ["h1team"]}, {"bulletin": {"enchantments": {}, "bounty": 100.0, "edition": 1, "lastseen": "2017-08-22T11:09:38", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "2b3680d5a2ec31650d15d54a1a85bd14", "key": "h1reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:547", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "andrisatteka", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "disabled": false}, "title": "HackerOne: CSRF login", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 14, "published": "2014-01-03T11:22:33", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}, "url": "https://hackerone.com/security", "handle": "security"}, "references": [], "hash": "b38f59169ef9d4ce591792b868991f9d4b1cc297c3990827d3ed3e934bd72359", "reporter": "andrisatteka", "modified": "1970-01-01T00:00:00", "href": "https://hackerone.com/reports/547"}, "lastseen": "2017-08-22T11:09:38", "edition": 1, "differentElements": ["h1reporter"]}, {"bulletin": {"enchantments": {}, "bounty": 100.0, "edition": 2, "lastseen": "2017-08-28T23:19:23", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "da3fb68724dd162d4e18813f937773a0", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:547", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "andrisatteka", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/andrisatteka", "is_me?": false}, "title": "HackerOne: CSRF login", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 14, "published": "2014-01-03T11:22:33", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}, "url": "https://hackerone.com/security", "handle": "security"}, "references": [], "hash": "4aafe820f585956f2473333c7ece86799fc1fae474b63876de995694e82f0e3b", "reporter": "andrisatteka", "modified": "1970-01-01T00:00:00", "href": "https://hackerone.com/reports/547"}, "lastseen": "2017-08-28T23:19:23", "edition": 2, "differentElements": ["modified"]}, {"bulletin": {"enchantments": {"score": {"value": 6.8, "modified": "2017-08-29T13:11:25"}}, "bounty": 100.0, "edition": 3, "lastseen": "2017-08-29T13:11:25", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "hashmap": [{"hash": "fc972247068a891f195aba92e81aa2b9", "key": "modified"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "da3fb68724dd162d4e18813f937773a0", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:547", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "andrisatteka", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/andrisatteka", "is_me?": false}, "title": "HackerOne: CSRF login", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 26, "published": "2014-01-03T11:22:33", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}, "url": "https://hackerone.com/security", "handle": "security"}, "references": [], "hash": "afaad29e7241d0b4f599a140f2aced25c85db1cb66c1415b85d0e9a5312d562f", "reporter": "andrisatteka", "modified": "2014-01-13T16:42:18", "href": "https://hackerone.com/reports/547"}, "lastseen": "2017-08-29T13:11:25", "edition": 3, "differentElements": ["h1reporter"]}], "objectVersion": "1.3", "cvelist": [], "published": "2014-01-03T11:22:33", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}, "url": "https://hackerone.com/security", "handle": "security"}, "references": [], "reporter": "andrisatteka", "modified": "2014-01-13T16:42:18", "href": "https://hackerone.com/reports/547"}
