Allen Chou says to YSITD I found in your version 1.6 that the change password did not produce a related token, resulting in a CSRF vulnerability