A CSRF vulnerability was discovered in a web application's address deletion feature that lacked CSRF token protection, compounded by a predictable numeric addressId parameter that could be brute-forced via JavaScript to delete arbitrary user addresses. The researcher developed a proof-of-concept that sends hundreds of requests with sequential addressId values from a victim's browser to identify and delete their saved addresses.
Site-wide CSRF vulnerability discovered on Messenger.com where CSRF token (fb_dtsg) validation was completely missing on multiple endpoints, allowing attackers to perform unauthorized actions like changing settings and removing users from group threads. The vulnerability affected all POST requests regardless of whether the token was modified, removed, or omitted entirely.