https://example.com/change_password
endpoint takes two POST body parameters: user_id
and new_password
. A POST request to this endpoint would change the password of user user_id
to new_password
. This endpoint is not validating the user_id
parameter, and as a result, any user can change anyone else's password by manipulating the user_id
parameter.https://example.com/change_password
.user_id
parameter to another user's ID.example.com
: account A and account B.example.com
as account A, and visit https://example.com/change_password
.https://example.com/change_password** and change the
user_id` POST parameter to the user ID of account B.user_id
. Since each user's public profile page lists the account's user_id
, anyone can visit any user's profile, find out their user_id
, and change their password. And because user_id
s are simply sequential numbers, a hacker can even enumerate all the user_id
s and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.user_id
parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.