User's email disclosure via invalid password reset link [$250]

Today, i got bug bounty from hackerone private program and i want to share bug process.

I reset account password from subdomain I got password reset link via email.

Password reset link has two parameter. userid and key.I change key as wrong random key.I got error message

"The password reset link was invalid, possibly because it has already been used. Please request a new password reset"

I check all request and response. I notice one response that is occur in

In json response include email parameter and email address


Nice.I try to change userid

WTF. I got email address of userid in json error response.

I report to hackerone private program.They award me $250.

See you in next bounty.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store