I was playing around with Codeforces and inspecting the networking of the website when I decided to check if Codeforces is vulnerable to CSRF (Cross-Site Request Forgery) attacks or not. I found that all requests contain CSRF tokens but I decided to test it anyway. I copied the request to my terminal and removed the CSRF token and it worked! I tried with different requests and apparently the CSRF tokens — although they existed — were never validated. Codeforces was vulnerable to CSRF attacks.
You can read more about it on my blog : http://blog.mbassem.com/2015/05/09/codeforces-account-takeover/
I want to thank MikeMirzayanov for his fast response and fix!
Your comments are welcomed!
Good job, and thanks for reporting! You gain +100 for a successful hack.
It's +217 already.
plot twist: you gain +100 :)
I was waiting for the right time to post the exact same comment :D