NigelLu
commented
11 months ago Thank you for spotting this issue. It means a lot to Parkrowd. We will update our app to use cookie to extract which user is submitting POST requests to alleviate this issue (not just for verification, but all other POST).
What I did : Navigated to verification section for my user. Changed the url to that for user2 (http://parkrowd-prod.us-west-2.elasticbeanstalk.com/users/verification/test4 to http://parkrowd-prod.us-west-2.elasticbeanstalk.com/users/verification/test2)
What went wrong : I was able to submit a verification request on behalf of user2.