Step-by-step instructions to reproduce the issue (in Firefox web browser):
- Select two different email addresses (A and B) for which you can receive messages. Aliases are OK; you do not need to send any message from either email account in order to reproduce the issue.
- If already logged in to lists.wikimedia.org, log out now.
- Go to https://lists.wikimedia.org/postorius/lists/mediawiki-announce.lists.wikimedia.org/
- Subscribe using email address A (creating an account doesn't matter) and confirm the request as instructed.
- If already logged in to lists.wikimedia.org, log out now.
- Go to https://lists.wikimedia.org/accounts/signup/
- Create an account using email address B and confirm the request as instructed.
- Go to https://lists.wikimedia.org/accounts/login/?next=/postorius/lists/mediawiki-announce.lists.wikimedia.org/ (if prompted to log in, do so using the account associated with email address B)
- Right-click on the drop-down list (selected option should be "Primary Address") and select "Inspect".
- Set the name attribute of the select element to "email".
- Set the value attribute of the first option element to email address A.
- In the action value of the form element, replace "subscribe" with "unsubscribe/" (including the forward slash at the end).
- Click the "Subscribe" button.
- Check the inbox for email address A.
Note that in addition to user A being unsubscribed, user B receives positive confirmation that user A was subscribed to the mailing list in question, in a way not subject to Wikimedia's IP rate limit on anonymous subscriptions through the web interface. If user A were not subscribed, user B would get the error, "a@example.com is not a member address of mediawiki-announce@lists.wikimedia.org".
OWASP vulnerability category: A5:2017-Broken Access Control