Fixed Users can be tricked into starting connected account association

K

Kirby

Well-known member
Affected version
2.3.6
Starting a connected account association is done via GET, this allows to trick users into clicking a link that starts a connected account association which they might not want to perform.

Example
Start associate account with Google

Suggested Mitigation
Only start the process with POST, if called via GET show a confirmation (or an error if it's not a navigational request).
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.7).

Change log:
Require confirmation for linking connected accounts
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

K
Fixed Users can be tricked into marking content read without actually reading it
Replies
1
Views
532
Mike
Mike
Back
Top Bottom