Place Your Ad Here

Solved Users can be tricked into starting connected account association

This topic has been solved
K

Kirby

Guest
Starting a connected account association is done via GET, this allows to trick users into clicking a link that starts a connected account association which they might not want to perform.

Example
Start associate account with Google

Suggested Mitigation
Only start the process with POST, if called via GET show a confirmation (or an error if it's not a navigational request).

Continue reading...
 
You must log in or register to reply here.

Similar threads

K
Bug Users can be tricked into starting connected account association
Replies
0
Views
79
XenForo General Discussions
Kirby
K
B
Ques/Help What are these greyed out users?
Replies
0
Views
29
XenForo General Discussions
bennylava
B
M
Bug After thread merge, users watching thread A get notification for new posts but no flag
Replies
0
Views
26
XenForo General Discussions
Mr Lucky
M
S
Ques/Help How to create a custom thread field with latest 5 years (auto-update upon new year) for users to choose from?
Replies
0
Views
44
XenForo General Discussions
securedme
S
W
XenForo Xenforo Deleted all users but it didn't remove their reactions
Replies
0
Views
50
XenForo Development & Modifications
Wishingz
W
Top Bottom
Back