A bug bounty writeup demonstrating an account takeover vulnerability combining IDOR and weak encryption in a password reset function. The attacker decrypted Zlib-compressed tokens, discovered an Adler-32 checksum constraint, located a Transaction_Token endpoint via directory fuzzing, and automated exploitation to forge valid password reset links for arbitrary accounts.
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.