[vasuki]

> I sent random requests using intruder with a CSRF token and random emails with a new password to this endpoint /savepassword

So this endpoint simply allowed setting up a new password with a POST request for the specified email address and he was able to guess the email .. ¯\_(ツ)_/¯

[zaroth]

That’s how I read it as well, almost too absurd to believe.

SetPassword and the parameters to the function are just username and newPassword.

I guess they assumed there was authentication happening before the request would even be served (pre-existing session).

[loa_in_]

A good example of how security by obscurity can fail. Just because there's no url to an endpoint exposed doesn't mean it shouldn't be hardened

[judge2020]

I think they assumed it was already hardened by requiring authentication, but didn't do any testing (or were unaware of this endpoint being a thing in the software they use).