A critical vulnerability was identified in the Firefox Accounts API that allowed an authenticated attacker to permanently delete any user's account by sending a POST /v1/account/destroy request using the attacker's session, but including the victim's email and password hash in the JSON payload. The server failed to verify that the session making the request belonged to the account being…Read More