Posted May 6, 2020 by Anthony
We were reported on Twitter of a bug that allowed CSRF to reset an accounts email if the user was logged in and loaded an external page that was able to make a request back to us. This could have resulted in account takeover (no data leakage) by using the reset email to reset the account password on the login page by using the forgot login system IF the account did not have 2FA enabled. This error is one that should not have happened and was fixed within 20 minutes of it getting reported to us.
Not only was it fixed but we redesigned the limit system to block any and all external loading or even referral of the Cloud Dashboard due to how sensitive data is on that domain. As a result of you are even logged in and click a link on an external domain including search results on Google the request will fail and you will be given an error page.
We would like to thank Jordan Baron @codedbyjordan who messaged us and was willing to send info and video of the bug but we ended up fixing it before he was able to.