Mohamed.Bassem's blog

By Mohamed.Bassem, 9 years ago, In English

I was playing around with Codeforces and inspecting the networking of the website when I decided to check if Codeforces is vulnerable to CSRF (Cross-Site Request Forgery) attacks or not. I found that all requests contain CSRF tokens but I decided to test it anyway. I copied the request to my terminal and removed the CSRF token and it worked! I tried with different requests and apparently the CSRF tokens — although they existed — were never validated. Codeforces was vulnerable to CSRF attacks.

You can read more about it on my blog : http://blog.mbassem.com/2015/05/09/codeforces-account-takeover/

I want to thank MikeMirzayanov for his fast response and fix!

Your comments are welcomed!

  • Vote: I like it
  • +414
  • Vote: I do not like it

»
9 years ago, # |
  Vote: I like it +150 Vote: I do not like it

Good job, and thanks for reporting! You gain +100 for a successful hack.