Hello my fellow hunters, back with one more write-up which i chained two bugs

The bug is simple,now as usual this is a private site so redacted.com

Lets get started,

Bug1: thu bug is reuse of confirmation link as many times as possible so that an attacker can use it to reset password

Reproduction steps:

1.visit https://redacted.com/signup

2.when u give mail id and your name you will be sent a confirmation link to ur inbox to activate account along with which lets u to set password for your account

3. which u can use as many times u need for every time u use it it always prompt u to set password

Everything is cool till here it will be considered as low impact.. Like they responded me as (150$) So what i can do to increase this as u cannot steal from the user right….

Bug2:So i looked into the confirmation token where i saw that its leaking confirmation token in the referrer with GET Request

Reproduction steps:

1.go to the inbox

2.click the link i caught the request in burp intercept where the referrer header caught my eye with the link

3.which can be shared with third parties

Take aways:This means third party can be able to use it(coz it leaks in referrer) to set the password(coz it can be used multiple times)

Bounty:250$

Hope it helped to learn something!

Happy hunting

Its me shesha sai_c