In the title: broken authentication control
also:
1 | // don't use getstatus('all') until we get the verify_integrity() patched |
If we open the console and send getTasks(‘user1A601E2b’) we have nothing
You can also use all instead of user1A601E2b, it will display the flag for a sec.
So you can open burpsuit and forward until you can grab the flag.