Unauthorized Blogs Creation

Hi, An unauthorized blog creation vulnerability has been identified on the lichess.org . By manipulating certain request and leveraging the session cookies of a different account, an attacker can bypass account-specific limitations and create a blog post on an account that is not yet eligible to do so. Steps: 1.Open a new account and attempt to create a blog post, you will face this message below. {F2653923} 2.Log in with a different browser and an old account that has the ability to create blog posts , go to create some blog with test data and solve the capatcha, but before click save fire up the burp suite, catch the request and send it to repeater and then drop it {F2653943} 3.Here ,I Replaced the cookies in the request with the cookeis of the new account ,I clicked send and response be like: {F2653958} 4.I coppied the location url and I visited it in the browser while logged in with the new account. https://lichess.org/[The Location Header] 5.You can see that as a new account we are able to edit the content and submit the form 6.Verify that the unauthorized blog post is successfully created in the new account. {F2653979} ## Recommendation: The platform's blog creation feature should be thoroughly reviewed and validated to ensure that all account restrictions are enforced correctly. ## Impact Allows unauthorized users to circumvent the intended restrictions on blog creation and create posts on accounts that are not yet eligible to do so. This lead to the spread of unauthorized or malicious content on the platform, potentially damaging the platform's reputation and user experience.