CSRF vulnerability at CloudAtCost.com

CloudAtCost.com provides low-cost virtual machines hosted in Canada. panel.cloudatcost.com is the management interface, where customers can install OS images, access a console, etc.A cross-site request forgery (CSRF) vulnerability was discovered in this web application. If a customer could be tricked into visiting a crafted URL while logged in, an attacker could change the victim’s password, gaining access to the management interface. In turn, this grants root access on all the victim’s VMs, the ability to wipe or reinstall VMs, and potentially allows the attacker to spend the victim’s money on CloudAtCost products and services.