I still remember that exhausting day full of failures which are common for bug bounty hunters whenever you don’t find issues in the application.
It was one of the public programs in bugcrowd with the mobile app, API and some domains in the scope. I had P1 duplicate on the same program. 🙁 I spent around 6 hrs to look for the issues in the web scope of a program and then I got to know that I am not being able to find any issues.
I decided to look for a parameter pollution issue at purchase endpoint because it was only missing thing. Hopefully i ended with disappointment. ?
The scope program had the functionality to purchase digital stuff, So I planned to spend $0.99 USD on purchasing it.
And later on, I got to know that the payment receipt/invoice was sent to the old email address or the email address used to signup for the first time.
I already had changed my email address after signup while trying for account takeover/verification bypass issue.
I reported this issue with a good explanation, although they took long to verify and triage the issue.
Although they made me wait for more than 2 weeks but rewarded me satisfactory bounty amount for this issue. 🙂
Yes, of course, it was a low hanging fruit which didn’t require any special method for exploitation but was little out of the common reach.