9gag.com – Account Take Over Vulnerability via Change Email XSRF

posted an persistent xss located in the first name field of the 9gag users’ a few years back during 2012. Simply edit the html of maxchar to bypass the char limit and insert in attackingĀ  vectors.
Somehow the xss is now patched on late 2013.
However, the xsrf still works. If anyone can find an xss vulnerability then they could use that with xsrf to take over a user account by changing the main email.