June 3, 2026
CSRF Protection Bypass via Method Confusion Leading to Full Account Takeover
The TV login sync feature on tvs.redacted.com allows an attacker to fully take over any redacted user account. By converting a POST request…
Unknown
1 min read
The TV login sync feature on tvs.redacted.com allows an attacker to fully take over any redacted user account. By converting a POST request to a GET request and embedding the attacker's own TV code in a crafted link, the attacker can silently authenticate as the victim on the main redacted domain simply by tricking the victim into clicking a URL.
When a user visits tvs.redacted.com, a unique TV code and QR code are displayed. Scanning the QR code triggers an authentication flow that calls a POST endpoint to sync the TV session with the user's redacted account.
The developer relied on the browser's SameSite=Lax cookie policy as a CSRF protection — since Lax prevents cookies from being sent in cross-origin AJAX/fetch requests. However, Lax cookies are still sent on top-level GET navigations, which completely bypasses this protection when the endpoint accepts GET.
The authentication endpoint accepts both POST and GET methods. The server never validates that the request method is strictly POST. Because SameSite=Lax cookies are attached to top-level GET navigations, an attacker can craft a GET link containing their own TV code and deliver a full account takeover via a single click.
Steps to reproduce:
1- Attacker opens tvs.redacted.com and notes the TV code shown on screen (e.g. Random-Code) along with the session GUID.
2- Attacker constructs a GET URL to the sync endpoint using their own TV code and GUID.
3- Attacker sends the crafted link to the victim (via DM, email, phishing page, etc.).
4- Victim clicks the link. The browser performs a top-level GET navigation and attaches the victim's SameSite=Lax session cookies automatically.
5- The server processes the request, syncing the victim's authenticated session to the attacker's TV code.
6- Attacker is now logged into the victim's full redacted account on tvs.redacted.com — using the same cookies as the main redacted.com domain.
Exploit URL (PoC):
https://www.redacted.com/api/v2.1/users/Auth/tvs_sync_account?code=000111&guid={{guid-code}}
The attacker replaces code and guid with their own active TV session values before sending the link to the victim.https://www.redacted.com/api/v2.1/users/Auth/tvs_sync_account?code=000111&guid={{guid-code}}
The attacker replaces code and guid with their own active TV session values before sending the link to the victim.Impact:
Full account takeover , Dashboard access , PII / account info
Because tvs.redacted.com shares the same session cookies as the root redacted****.com domain, a successful attack grants the attacker complete access to the victim's redacted account — personal information, and all dashboard functionality.
Recommended fix:
- Enforce strict HTTP method validation on the sync endpoint — reject any request that is not POST (return 405 Method Not Allowed).
- Implement an explicit CSRF token in the POST body that is tied to the user's session and verified server-side.
- Consider upgrading the cookie policy to SameSite=Strict where applicable, or scoping cookies more narrowly between subdomains.
- Validate that the TV code has not already been claimed and that it belongs to the requesting session before processing the sync.
Thank you for reviewing this Writeup!