Mediafire CSRF - Delete someones a/c by sending them a link

chief

Prime VIP
oWkV7png-1.jpg


Code:
http://www.mediafire.com/dynamic/deleteaccount.php

Sending this link to someone will delete their accounts without any confirmation (ie. Are you sure you want to delete your account? Doesn't exist)

Obviously you must be logged in for this exploit to work


How could this be used?

-You can delete anyone's account by embedding the webpage in an iFrame

-You can shorten the link using a service like bit.ly or do a simple redirection (the iFrame method is more recommended however as they willl not see a confirmation page if you make it 1px by 1px)

Use your imagination, it's very useful if you want to get back at someone.

What happens with the account?

It's gone. Literally gone. If they ask the Mediafire staff to get it back they might be able to recover but they won't even be able to log in as the account is deleted. It will say the account doesn't exist when they try to log in.

Well, How do I prevent my account from being deleted?

If you use Firefox please block the specific URL as stated above. Else be careful with URL shortening and use common sense when clicking links.

Credit: ConfusedHatter
 
Top