There's cross site request forgery (CSRF) protection, but how good is it?

Challenge Information

Note: Use a keen eye on this challenge to notice what's happening

Our admin panel was hacked because someone discovered a way to force a request to be sent when we visited a malicious website. I got John onto it and he added CSRF protection, and even did some checks to make sure no-one was trying to iframe us from their site! I think we're safe now. I've learnt on what CSRF is and i'm pretty sure no-one can force the admin password to be reset if we were tricked onto another malicious site.

Challenge target: Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully. You must see the "Changes saved!" message in green (or prove it with screenshot of request), and your attack should require no more than 1 user interaction.

Challenge Solutions

You need to be logged in to view challenge solutions.