Users can be tricked into starting connected account association

Status: This content is read-only, or is not open for further replies.

Kirby

Guest

offline

OP
Apr 22, 2025
0
83

Starting a connected account association is done via GET, this allows to trick users into clicking a link that starts a connected account association which they might not want to perform.

Example
Start associate account with Google

Suggested Mitigation
Only start the process with POST, if called via GET show a confirmation (or an error if it's not a navigational request).

Continue reading...

Show hidden low quality content

Status: This content is read-only, or is not open for further replies.

Facebook Reddit Pinterest WhatsApp Email Link

Home
Community
Rss Feed
Xenforo RSS

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Top Bottom