A JSON-based CSRF vulnerability was discovered on Badoo's mobile site (m.badoo.com) allowing attackers to perform account deletion and contact erasure without CSRF tokens by leveraging HTML form submissions with text/plain encoding to bypass JSON content-type restrictions. The researcher crafted HTML forms that automatically execute privileged API actions when visited by authenticated victims, resulting in a $280 bounty.
The author demonstrates a JSON CSRF vulnerability exploitation technique that bypasses anti-CSRF token validation and origin checks by leveraging HTTP method override functionality. The attack chain involves removing the X-Auth-Token header, converting a PUT request to POST via method override, and crafting a cross-origin AJAX request with a JSON body.