This was my first bounty worth $100. I got really exited at the moment the email notification popped-up. Read this write-up to know how I got that bug.
Let’s name the website as www.example.com. I understood that how the application works. After understanding, I logged out of the application and tried to visit the paths that are only available to logged-in users. As soon as I hit the first path in my list, I was redirected to “/login?redirect_to=%2fsettings”.
And Open-redirect vulnerability clicked into my mind and I was successful to get a redirect to https://google.com/ by visiting https://www.example.com/login?redirect_to=https%3A%2f%2fgoogle.com%2f
and logging in to www.example.com
Then I thought why not try to steal login credentials.
So I went for that after a good night sleep. I visited the link:
An Alert popped up for both email and password of victim