Hi All,
Long time back while participating into Dropbox Acquisitions program, I found Open Redirection ,CSRF- Account takeover and other low hanging fruits on Mailboxes platform.
Well Initially Mailboxes domain was in-scope for Dropbox Acquisitions.
Later on after my submission they said :-
So they removed their in-scope URL after my submission.
The point in sharing this bug is that even after sharing a valid vulnerability to the program owner and spending hours and days in hunting bug, they refused to acknowledge my efforts, citing the in-scope domain as an error.
Nevertheless, I thought to share my finding with you guys.
Video POC:-
Thanks You.