Exploiting CSRF in Account Settings for Profile Manipulation

medium.com · Osama Alaa · 10 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty csrf
Exploiting CSRF in Account Settings for Profile Manipulation | by Osama Alaa - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Exploiting CSRF in Account Settings for Profile Manipulation Introduction Osama Alaa Follow ~2 min read · March 24, 2026 (Updated: March 24, 2026) · Free: Yes Introduction In this post, I will discuss a Cross-Site Request Forgery (CSRF) vulnerability I discovered in a major e-commerce platform's account settings. This vulnerability allowed an attacker to silently modify a user's first and last names without their interaction or consent, simply by tricking them into visiting a malicious webpage. The Vulnerability While testing the account settings of target.com , I noticed that the endpoint responsible for updating profile information was: POST /my-account/xapi/v2/account-settings-page After analyzing the request, I found two critical flaws: Lack of Anti-CSRF Tokens: The application did not use any unique tokens to validate the origin of the request. Permissive Content-Type: Although the application primarily communicates via JSON, the server incorrectly accepted standard HTML Form submissions ( application/x-www-form-urlencoded ). The Attack Scenario Since the server accepted form-urlencoded data, I was able to craft a classic CSRF PoC using a simple HTML form. Proof of Concept (PoC) HTML
When a logged-in user visits a page containing this code, the browser automatically sends the POST request with the user's cookies, and the name is changed instantly. Impact This might seem like a low-severity issue (P4), but in e-commerce, the impact is significant: Integrity Violation: Unauthorized modification of user data. Shipping/Invoicing Issues: User names are often tied to legal invoices and shipping labels. Phishing/Social Engineering: Attackers can change names to deceptive terms like "Security Alert" to trick users. Mitigation Strict Content-Type Enforcement: The server should only accept application/json and reject any other types. Anti-CSRF Tokens: Implement unique, per-session tokens for all state-changing actions. SameSite Cookie Attribute: Set cookies to SameSite=Lax or Strict . Conclusion This bug was reported via Bugcrowd and was successfully Validated and Resolved by the security team. It serves as a reminder that even modern applications using JSON APIs can be vulnerable to classic attacks if they remain backward compatible with old form methods. Author: Osama Alaa (Security Researcher) Bugcrowd LinkedIn GITHUB WEBSITE #cybersecurity #bug-bounty #infosec #web-security #csrf Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories