Missing authentication on Notification setting .
Unknown
Vulnerability Details
Hi ,
Notification setting link works without cookies so an attacker can steal link from browser histroy and can change notification setting of victim.
Notification setting link does not expire even after logout.
Steps to reproduce :-
1.Log in as uber rider.
2.Go to profile.
3.Now go to "Manage your email subscription settings".
4.Copy link of this page and open this link in another browser , it works perfectly.
5.It also works after logout.
Actions
View on HackerOneReport Stats
- Report ID: 135891
- State: Closed
- Substate: informative
- Upvotes: 2