It started off like any other day until I got an unexpected email -- an invite to a private bug bounty program. Curious, I jumped in. The target? A website we'll call redacted.com.
I began testing the usual stuff -- login pages, account settings, and then the "Forgot Password" feature. At first, everything seemed normal: enter your email, get a reset link. But as I dug deeper, I found something strange. There was a flaw that could let an attacker take over someone else's account using the password reset feature.
It wasn't obvious -- pretty well-hidden, actually -- but if exploited, it could allow someone to completely lock out a victim and take control of their account. Serious stuff.