Back in 2017, I reported this simple XSS vulnerability that affects Mixmax Chrome Extension. The vulnerability was due to a feature called insert link/URL. This vulnerability didn't trigger on other user since the payload was filtered after it was push to the victim so ends up into self-XSS but Mixmax issued a fix and rewarded me a Mixmax swag that until now didn't arrive. (I don't know why). This vulnerability was reported to Mixmax via Hackerone.
--Proof of Concept--
PS: Don't mind my inbox, nothing sensitive in there.
Report Title: XSS in Mixmax Chrome Extension
Reported: 2017-10-31 13:00:48 +0000
Triaged: 2018-01-08 19:45:25 +0000
We'll fix, thanks!Fixed: 2018-02-10 03:50:44 +0000
Reward: Mixmax Swag
I hope you enjoy this write up! stay tune for more contents like this in the future.
Have a great day,
“To be yourself in a world that is constantly trying to make you something else is the greatest accomplishment.”
― Ralph Waldo Emerson