“Security is often just an illusion — and I’m mr0x1_, the guy who likes to break the spell. Come along as I show you how I chained a ‘hidden’ secret with a lazy endpoint to rewrite any user’s library in total silence.”

Most people look at a URL and see a way to get to a page. As a researcher, I look at a URL and see a set of instructions. Last week, while exploring, let’s call mr0x1.comI found a set of instructions that allowed me to take control of any user's "Saved Stories" silently, instantly, and with a single click.

It wasn’t just a simple bug; it was a lesson in why “security by obscurity” always fails.

A URL That Does Too Much

I was poking around the newsletter section when I decided to save an article for later. I fired up Burp Suite to watch the traffic, expecting a standard, boring background request. Instead, I saw this staring back at me:

GET /bookmarks/apply?zx=24723rhewuiewhdf7436r7ywe&nid=346236&action=add

My heart skipped a beat. A GET request? For a state-changing action?

In the world of web security, that’s like leaving your front door unlocked. But then I saw the zx parameter. At first glance, it looked like a standard CSRF token, a long, random string of characters designed to prove the request was legitimate. If that token was unique to my session, the bug was dead in the water.

The Token Hunt

I needed to know where that zx token came from. If I couldn't guess it or find it, I couldn't exploit the vulnerability.

I started digging into other endpoints, looking for the source. That’s when I hit the jackpot. I found a completely separate endpoint — one designed to check user emails. When I queried an email address, the server didn’t just tell me if the user existed; it handed me the keys to the kingdom.

The response leaked the zx token for that specific user.

This changed everything. I didn’t need to steal a cookie. I didn’t need to breach a server. I just needed to look in the one place the developers thought no one was watching. By hitting the email endpoint, I could grab a victim’s zx value and "seal" the malicious URL.

The Invisible Fingerprint

To prove how dangerous this was, I crafted a simple “trap” page. I didn’t want the victim to see a form or click a “Submit” button — that’s too obvious. I wanted it to happen like magic.

I built a tiny HTML file that automatically submits the request the millisecond the page loads. To the victim, it just looks like a page that failed to load or a quick redirect. To the server, it looks like a legitimate request from a logged-in user.

CSRF.html

<html>
<body>
<form action="https://mr0x1.com/bookmarks/apply">
<input type="hidden" name="zx" value="[STOLEN_ZX_TOKEN]" />
<input type="hidden" name="nid" value="346236" />
<input type="hidden" name="action" value="add" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

The “Oh No” Moment

I hosted the file and sent the link to my test account. I was logged in on one tab, and I opened the malicious link in another.

I went back to my “Saved Stories” and hit refresh. There it was. An article I never clicked, added to my list by a script running on a totally different domain.

Then, I changed the action from add to delete.
Refresh: My entire library was gone.

Why “Different Endpoints” Matter

The biggest takeaway from this find? Never trust a token that isn’t tied to a specific, secret session. The developers tried to be clever by including the zx parameter, but by leaking that same parameter in a different, unrelated endpoint, they rendered the entire defense useless. It’s a reminder to all of us: security is only as strong as your leakiest endpoint.

I reported this to the team immediately. Within a short time, they moved to secure the endpoint and properly validate origins.

Enjoyed the hunt?

I’m always digging for the next exploit that others miss. If you want to see more deep dives into broken logic and chained vulnerabilities, hit that Follow button and stay tuned for the next report.

💬 You can also find me on Twitter/X: @mr0x1_