Topcoder: CSRF on general and email preferences

ID H1:868583
Type hackerone
Reporter powerpuff
Modified 2020-05-12T13:36:14



Hi :) There is a CSRF on setting general and email preferences.

Steps To Reproduce:

There is no CSRF token or anything like that on and . I added the poc html files below. Attacker can change victim's preferences.

Note: This only works to signed-in users. There is a mistake on now. If you encounter an error, you can login on main site ( then try.


An attacker can force other users to change their preferences without their knowledge.