Today, I have discovered a vulnerability within klout.com.
This bug allows you to update other people’s stats, change their password, or their email.
The vulnerability is situated in the cookies.
To achieve the desired result, you must edit your cookies (through, for example, the firecookie plug-in for the firebug add-on for firefox)
One must then log in WITH “remember me” enabled.
If you have firecookie open, you will now see your own username somewhere, you must change this to the username of your victim.
Next, delete the PHPSESSID in your cookies, navigate to another page on klout, and then go to “My Profile”. You should then see that you are now logged in as your victim.
NOTE: This is merely a bug i discovered and am disclosing here. This is for educational purposes only and I will not be held responsible for any harm done. I will also as of this moment not answer any further questions about this disclosure.