HackerOne: CSRF login

2014-01-03T11:22:33
ID H1:547
Type hackerone
Reporter andrisatteka
Modified 2014-01-13T16:42:18

Description

1) Attacker creates a fake account and changes e-mail 2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.