IRCCloud: Session Token is not Verified while changing Account Setting's which Result In account Takeover

2014-04-10T22:58:58
ID H1:6907
Type hackerone
Reporter exploitprotocol
Modified 2014-04-23T11:16:00

Description

Hello IrcCloud Security Team,

Vulnerability Detail's:-

Session Token is not Verified while changing Account Setting's which Result In account Takeover

Description:-

I have found that while changing Setting Session token is not verified .So an attacker can basically plot a CSRF attack which would change the default email of the user and this would led to account takeover.

POC:-

I have made proof of concept video of the same:-https://www.youtube.com/watch?v=YvlYElGb40A The Above Video is Unlisted.

With Regard's Aditya Agrawal