https://example.com/change_passwordendpoint takes two POST body parameters:
new_password. A POST request to this endpoint would change the password of user
new_password. This endpoint is not validating the
user_idparameter, and as a result, any user can change anyone else's password by manipulating the
user_idparameter to another user's ID.
example.com: account A and account B.
example.comas account A, and visit
https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.
user_id. Since each user's public profile page lists the account's
user_id, anyone can visit any user's profile, find out their
user_id, and change their password. And because
user_ids are simply sequential numbers, a hacker can even enumerate all the
user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.
user_idparameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.