Sensitive information/action is stored/done is done using a GET request
Discovered by dermeister on Khanacademy

This issue took 2 Days and 1 hours to triage and 997 Days and 3 hours to resolve once triaged.



Description:

The action to remove an email from account is done using a GET request and it has security token.

The URL is : https://www.khanacademy.org/settings/unlinkaccount?email=134hackerone%40gmail.com&fkey=<security token here>

It is never a good practice to have sensitive information in URL. Following are the reasons:

  • GET requests can be cached
  • GET requests remain in the browser history
  • GET requests can be bookmarked

Whereas:

  • POST requests are never cached
  • POST requests do not remain in the browser history
  • POST requests cannot be bookmarked

Attack Scenario:

If the URL goes in the hands of malicious user then host a malicious website and perform a CSRF attack against the victim and this un-link that email address.