WEB-285CSRF Email Sending
The URLS
https://account.mojang.com/me/settings/changeSecretQuestions/send
and
https://account.mojang.com/me/settings/email/send
are currently vulnerable to a Cross-site request forgery attack. When loaded via iframe, these pages send an email without user consent, and can be used to flood the inbox of any logged in user via repeatedly loading them using javascript. This issue is closely related to WEB-227, and should be resolved using a similar method. Please instate site-wide X-Frame-Options headers on both mojang.com and minecraft.net. I've attached a proof-of-concept, which should send you an email(if logged in to mojang.com) every 500ms.
2016-02-24, 05:07 AM
2016-02-25, 01:16 PM
2016-02-25, 01:16 PM
0
1