[zaroth]

That’s how I read it as well, almost too absurd to believe.

SetPassword and the parameters to the function are just username and newPassword.

I guess they assumed there was authentication happening before the request would even be served (pre-existing session).

[loa_in_]

A good example of how security by obscurity can fail. Just because there's no url to an endpoint exposed doesn't mean it shouldn't be hardened

[judge2020]

I think they assumed it was already hardened by requiring authentication, but didn't do any testing (or were unaware of this endpoint being a thing in the software they use).