CSRF and probable account takeover on https://www.niche.co

The researcher discovered that Niche’s CSRF protection was broken and that an attacker could trick a logged-in user into changing account information under the /account endpoint, including email address. This would not have enabled account takeover, however, since Niche does not handle account credentials independently of Twitter.