In-scope domain can also be in Error - Open Redirection @Mailboxes

2 Comments

Hi All,

Long time back while participating into Dropbox Acquisitions program, I found Open Redirection ,CSRF- Account takeover and other low hanging fruits on Mailboxes platform.

Well Initially Mailboxes domain was in-scope for Dropbox Acquisitions.

Later on after my submission they said :-


So they removed their in-scope URL after my submission.

The point in sharing this bug is that even after sharing a valid vulnerability to the program owner and spending hours and days in hunting bug, they refused to acknowledge my efforts, citing the in-scope domain as an error.


Nevertheless, I thought to share my finding with you guys.


Video POC:-




Thanks You.