Removing an account is a sensitive action that should be taken into consideration.
Some protection mechanisms should be incorporated:
- Protection: when deleting an account, the web application should request the user to submit its credentials (it can prevent attacks such CSRF, XSS...).
{% embed url="https://hackerone.com/reports/361368" %}
{% embed url="https://infosecwriteups.com/bugbounty-how-i-was-able-to-delete-anyones-account-in-an-online-car-rental-company-8a4022cc611" %}