HackerOne Disclosed Reports - 2025-06-02

High
resolved

IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account

Bug reported by Zephyrus was disclosed at June 3, 2025, 8:38 am   |   Insecure Direct Object Reference (IDOR)

A critical vulnerability was identified in the Firefox Accounts API that allowed an authenticated attacker to permanently delete any user's account by sending a `POST /v1/account/destroy` request using the attacker's session, but including the victim's email and password hash in the JSON payload. The server failed to verify that the session making the request belonged to the account being deleted.