In-scope domain can also be in Error - Open Redirection @Mailboxes


Hi All,

Long time back while participating into Dropbox Acquisitions program, I found Open Redirection ,CSRF- Account takeover and other low hanging fruits on Mailboxes platform.

Well Initially Mailboxes domain was in-scope for Dropbox Acquisitions.

Later on after my submission they said :-

So they removed their in-scope URL after my submission.

The point in sharing this bug is that even after sharing a valid vulnerability to the program owner and spending hours and days in hunting bug, they refused to acknowledge my efforts, citing the in-scope domain as an error.

Nevertheless, I thought to share my finding with you guys.

Video POC:-

Thanks You.