LogicalBreach Academy

User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

Improper Access Control - GenericCVSS 2.5Easy

User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon

hackerone-reports

April 11, 2026

4 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3325582 by adilnbabras

Hi team, while reviewing the Mozilla Pontoon source code, I have found that a new feature has been added to Generate and Delete Personal Access Tokens for the Rest API. To Delete a token, a user sends a POST request to /delete-token/{token_id}/ endpoint with the numeric token ID. The developer forgot to put a check on user permissions at this endpoint, which allows a user to delete anyone's Personal Access Token.

Steps To Reproduce:

Log in to your Victim account at https://mozilla-pontoon-staging.herokuapp.com/.
On the top right corner, click on your profile icon and from the dropdown menu, click on settings.

███████

Prepare your proxy, like Burp Suite, to capture incoming requests and change your display name.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€799 Documented

Profile →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service