On settings/user/security
You can mark a device for wipe out that does not belong to you.
Steps:
- Create 2 accounts one for the hacker and one for the victim
- On both accounts add devices with different names
- On the hacker account, while intercepting with burpsuite, select the option to wipe out a device
- Forward with burpsuite and in the url that looks like settings/personal/authtokens/wipe/{data-id}, change the data-id to the id of the device of the victim
- Stop intercepting or forward again and the device of the victim will be marked for wipe out.
Here is a video demo
{F748890}
Impact
Attacker can wipe out the device of another user by using the device ID