Account takeover at due to no CSRF protection in connecting Yahoo account
State Resolved (Closed)
Disclosed publicly 2018-12-06T02:35:56.686Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty $512

submitted a report to Discourse .


There is an option in to connect our Yahoo account.

I noticed Connect Yahoo account option have the workflow with GET method and there is lack of csrf protection on connecting yahoo account which can help attacker into inducing victim to connect attacker's yahoo account to victim's discourse account, and it leads to full account takeover of victim's account.

Vulnerable Request:

GET /auth/yahoo/callback?_method=post& HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

  1. Attacker go to
  2. Switch on burp interceptor and click on Yahoo connect.
  3. Go to burp interceptor and after forwarding some requests attacker will find the upper mentioned vulnerable request.
  4. Copy that and drop the request( here you saved the auth token generated by yahoo).
  5. Now feed the copied request to authenticated victim (as a html form or as an url).
  6. Victim get the message authentication complete and get redirected to
  7. Attacker open his browser and try to login with yahoo.
  8. Attacker get redirected to
  9. Attacker open
  10. Check Victim's account successfully compromised.


Account Takeover.


  • 0 attachments:
avinash_ Activities::Comment
Anybody to response?

ktistai Activities::Comment
Hi @avinash_ , Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @ktistai

ktistai Activities::BugTriaged
Hi @avinash_ Thank you for your submission! We were able to validate your report, and we have submitted it to the appropriate remediation team for review. They will let us know the final ruling on this report, and if/when a fix will be implemented. Please note that the status and severity are subject to change. Thanks, @ktistai

avinash_ Activities::Comment
Hi @ktistai It seems fixed, On connecting yahoo account it is releasing csrf token(as state=token123). During reproducing the attack it behaving an error message as ```Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?```. Can you please check this from your end ! Best Regards

discourse_team Activities::BugResolved


avinash_ Activities::Comment
Hi @discourse_team Thanks for bounty :) Best Regards

avinash_ Activities::AgreedOnGoingPublic
Preety nice bug... Can we please disclose this?