When user can edit their profile –> Incorrect use of privileged APIs to steal victim’s account
1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing