Dear Discourse Team,
Before logging in and sending a POST request to do so, a GET request is sent to retrieve and use a CSRF token.
Demo?=1465847188888 is an example using the test server.
Currently the token, as depicted by the '’ parameter, is being generated using Linux Epoch time.
This means that effectively the CSRF token login authentication can be bypassed by converting the current time that your browser visits a Discourse login page (and through trial and error of seeing how long it takes to submit the login form) in the GMT timezone to epoch time.
We believe that this could be an issue as it could allow an attacker to bruteforce our forum users, or perhaps check another user’s inbox (in theory, I may be wrong as I haven’t had the time to write up a script just yet - I’m busy with exams).