ID H1:547 Type hackerone Reporter andrisatteka Modified 2014-01-13T16:42:18
Description
1) Attacker creates a fake account and changes e-mail
2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.
{"id": "H1:547", "bulletinFamily": "bugbounty", "title": "HackerOne: CSRF login", "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "published": "2014-01-03T11:22:33", "modified": "2014-01-13T16:42:18", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/547", "reporter": "andrisatteka", "references": [], "cvelist": [], "type": "hackerone", "lastseen": "2018-04-19T17:34:11", "history": [{"bulletin": {"bounty": 100.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "edition": 4, "enchantments": {"score": {"modified": "2018-02-07T16:58:00", "value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "username": "andrisatteka"}, "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "hash": "76b6cdee288921b32948505d6acbf9c2bb705738599170e5bbeead0d29571292", "hashmap": [{"hash": "fc972247068a891f195aba92e81aa2b9", "key": "modified"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "88714e576f5e90202717d153e29e43f9", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/547", "id": "H1:547", "lastseen": "2018-02-07T16:58:00", "modified": "2014-01-13T16:42:18", "objectVersion": "1.3", "published": "2014-01-03T11:22:33", "references": [], "reporter": "andrisatteka", "title": "HackerOne: CSRF login", "type": "hackerone", "viewCount": 26}, "differentElements": ["h1team"], "edition": 4, "lastseen": "2018-02-07T16:58:00"}, {"bulletin": {"bounty": 100.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "edition": 1, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "username": "andrisatteka"}, "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "hash": "b38f59169ef9d4ce591792b868991f9d4b1cc297c3990827d3ed3e934bd72359", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "2b3680d5a2ec31650d15d54a1a85bd14", "key": "h1reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/547", "id": "H1:547", "lastseen": "2017-08-22T11:09:38", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-01-03T11:22:33", "references": [], "reporter": "andrisatteka", "title": "HackerOne: CSRF login", "type": "hackerone", "viewCount": 14}, "differentElements": ["h1reporter"], "edition": 1, "lastseen": "2017-08-22T11:09:38"}, {"bulletin": {"bounty": 100.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "edition": 2, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "username": "andrisatteka"}, "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "hash": "4aafe820f585956f2473333c7ece86799fc1fae474b63876de995694e82f0e3b", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "da3fb68724dd162d4e18813f937773a0", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/547", "id": "H1:547", "lastseen": "2017-08-28T23:19:23", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-01-03T11:22:33", "references": [], "reporter": "andrisatteka", "title": "HackerOne: CSRF login", "type": "hackerone", "viewCount": 14}, "differentElements": ["modified"], "edition": 2, "lastseen": "2017-08-28T23:19:23"}, {"bulletin": {"bounty": 100.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "1) Attacker creates a fake account and changes e-mail\r\n2) The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him.\r\n\r\n\r\n", "edition": 3, "enchantments": {"score": {"modified": "2017-08-29T13:11:25", "value": 6.8}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "username": "andrisatteka"}, "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "hash": "afaad29e7241d0b4f599a140f2aced25c85db1cb66c1415b85d0e9a5312d562f", "hashmap": [{"hash": "fc972247068a891f195aba92e81aa2b9", "key": "modified"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1eedbccb5c0b9fb2f11e4b127a69bf57", "key": "title"}, {"hash": "62dca49f0781bf26b4305bddb0414bea", "key": "bounty"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "da3fb68724dd162d4e18813f937773a0", "key": "h1reporter"}, {"hash": "d34817f156fcb8b7bb3ed69008b3e7b7", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df5f0b65e2fc91373c9d231057a98b36", "key": "reporter"}, {"hash": "644ed5c6265b09046c7f0ca9a9f36277", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6318a7f706df448c5c95d391922356d", "key": "description"}, {"hash": "c4ec3223c043872070db363859ea6e58", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/547", "id": "H1:547", "lastseen": "2017-08-29T13:11:25", "modified": "2014-01-13T16:42:18", "objectVersion": "1.3", "published": "2014-01-03T11:22:33", "references": [], "reporter": "andrisatteka", "title": "HackerOne: CSRF login", "type": "hackerone", "viewCount": 26}, "differentElements": ["h1reporter"], "edition": 3, "lastseen": "2017-08-29T13:11:25"}], "edition": 5, "hashmap": [{"key": "bounty", "hash": "62dca49f0781bf26b4305bddb0414bea"}, {"key": "bountyState", "hash": "fafdd4fbb3fee9a56e17d43689f48d18"}, {"key": "bulletinFamily", "hash": "05ada9a7482161942c43eadd60b0440c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b6318a7f706df448c5c95d391922356d"}, {"key": "h1reporter", "hash": "88714e576f5e90202717d153e29e43f9"}, {"key": "h1team", "hash": "d2aee34aad3e3d5c63e5e0039b45c292"}, {"key": "href", "hash": "c4ec3223c043872070db363859ea6e58"}, {"key": "modified", "hash": "fc972247068a891f195aba92e81aa2b9"}, {"key": "published", "hash": "644ed5c6265b09046c7f0ca9a9f36277"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "df5f0b65e2fc91373c9d231057a98b36"}, {"key": "title", "hash": "1eedbccb5c0b9fb2f11e4b127a69bf57"}, {"key": "type", "hash": "ec83c92514064cbcd1d6878e7bc2471a"}], "hash": "c5fb4dbaf553dd829965f47d907b8fc777dd572a43d17cef7a33dbe8b3bd826a", "viewCount": 26, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.3", "bounty": 100.0, "bountyState": "resolved", "h1team": {"handle": "security", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713", "small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713"}, "url": "https://hackerone.com/security"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/andrisatteka", "username": "andrisatteka"}}