HackerOne: CSRF login

ID H1:547
Type hackerone
Reporter andrisatteka
Modified 2014-01-13T16:42:18


1) Attacker creates a fake account and changes e-mail 2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.