Hi everyone how are you doing today? I hope you are doing great and scoring lots of bounties. Today's story is about a bug I found on public disclosure program which allows me to take over any user's account. It was a P4 issue but I didn’t report and chain it to P1. Without further ado let’s start

I don’t have permission to disclosure target information so let’s call it example.com. It was a normal website. There is not so much functionality, You can create an account, log in, change password, etc.

As always I create 2 accounts. I first…


Hi everyone I hope you all are doing great and scoring lots of bounties. I am Mohsin khan I am from India and I do bug bounty full time for 1 year now. I found lots of bugs in the last year.

Today I am sharing one of my finding which allows me to take over all users account. It was out of scope domain bug but they paid me a bounty ❤. Without further ado let’s start.

It was a private program and I don’t have permission to disclose any information about the target so let’s call it example.com…

Mohsin khan

powerful people make places powerful

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store