Cross-Account Profile Picture Deletion via CSRF Token Bypass paid me 500$.

As a security researcher passionate about uncovering vulnerabilities, I recently embarked on a journey to test the security of web applications. I discovered a medium vulnerability on a public bug bounty program, which I will refer to as “target.com” for this write-up. This vulnerability allowed unauthorized deletion of user profile pictures through a Cross-Site Request Forgery (CSRF) token bypass, earning me a $500 bounty.

so with out wasting your time lets get started …

The vulnerability were existed in the profile picture deletion functionality of target.com. By exploiting this flaw an attacker could delete the profile picture of any user without proper authorization. This not only posed a risk of account compromise but also could lead to significant data loss.

Registration and Initial Testing: I started by registering an account on target.com and began testing various functionalities manually. After 10 hours of thorough testing, I hadn’t found anything significant. However, I decided to take a closer look at the profile picture deletion functionality.

I navigated to the profile picture deletion page and deleted my profile picture. Using Burp Suite, I intercepted each request to understand the process. I sent these requests to the Repeater to analyze them in detail.

• Affected Endpoint: /user/edit/personal/picture-delete/
• Affected Parameter: csrfmiddlewaretoken

I registered another account (Account B) to further test this function. I uploaded a profile picture in Account B and repeated the deletion process, intercepting the requests again. This time, I paid special attention to the CSRF token (csrfmiddlewaretoken) and session details and Profile-Id.

I noticed that by manipulating the profile ID and session token, I could potentially bypass the CSRF protection. Here’s how I did it:

• From Account A, I navigated to the profile picture deletion page and intercepted the deletion request.
• I noted the CSRF token and other parameters included in the request.
• I logged into Account B, repeated the steps to obtain another CSRF token, and uploaded a profile picture.
• I replaced the session ID (sessionid) and current profile ID (profile_id) in the request from Account B with those from Account A.
• Finally, I sent the modified request from Account A.

Upon sending the modified request from Account A, I observed that the profile picture of Account B was deleted successfully, confirming the vulnerability.

Below is a sample of the intercepted HTTP request

POST /user/edit/personal/picture-delete/

HTTP/2 Host: target.com

Cookie: sessionid=”Switch Account B session to Account A”; current-profile-id=”Switch Profile ID Account B to Account A” Content-Type: application/x-www-form-urlencoded

— — — WebKitFormBoundaryXiSiO7OTw6Jt5mTN Content-Disposition: form-data; name=”csrfmiddlewaretoken” sdcQTwzyz6FI54D5CRRqmhtwr5cO8zXbIo2IDpmOnD1WxhhE5LcGmVREOnLIlRAm

— — — WebKitFormBoundaryXiSiO7OTw6Jt5mTN Content-Disposition: form-data; name=”current_profile_id” “Switch Profile ID Account B to Account A”

— — — WebKitFormBoundaryXiSiO7OTw6Jt5mTN —

The root cause of this vulnerability was the insufficient validation or enforcement of the CSRF token during sensitive actions.

If you made it to the end i would like to thank you , and see you again with another writes up.

Mustafa Almohsen.