Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol.

A security researcher identified an endpoint that allowed Shipt Members to delete their own account by intercepting an HTTP request, changing the HTTP method to DELETE, and forwarding the request, bypassing the normal membership cancellation protocol. This endpoint did not allow for modifying other members' accounts and was self-exploitable only. However, this issue could have impacted business operations and metrics and Shipt re-opened the report and Shipt engineers implemented a fix. Researcher validated the fix.