Hello IrcCloud Security Team,
Session Token is not Verified while changing Account Setting's which Result In account Takeover
I have found that while changing Setting Session token is not verified .So an attacker can basically plot a CSRF attack which would change the default email of the user and this would led to account takeover.
I have made proof of concept video of the same:-https://www.youtube.com/watch?v=YvlYElGb40A The Above Video is Unlisted.
With Regard's Aditya Agrawal