Khan Academy: Account takeover by changing email
The endpoint /signup/email allows users to change their email before they confirm their account email. This endpoint is not protected from CSRF. Thus, any account that is not yet "confirmed" is vulnerable to account takeover using the following steps: 1. Attacker obtains new email address not...