A researcher achieved account takeover by combining clickjacking (missing X-Frame-Options header) with parameter manipulation to trick users into changing their account email. The attacker loaded the profile change page in an invisible iframe and overlaid a fake button to intercept clicks, allowing email hijacking without user consent.
Researcher discovered a CSRF vulnerability in an e-commerce website where the form_key token lacked server-side validation, allowing an attacker to forge requests to add arbitrary addresses to victim accounts. The vulnerability was successfully demonstrated by removing the token from a CSRF PoC payload, resulting in a $500 bounty.
A reflected XSS vulnerability was discovered in Bugcrowd's main domain via an undisclosed 'locale' parameter that was vulnerable to injection attacks. The vulnerability was traced to Locomotive CMS used by multiple websites, allowing attackers to steal user data and perform CSRF attacks; Bugcrowd patched the issue and awarded $600.