For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....
I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.
The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".
Then they fixed it by adding a JWT token to the URL (and no bounty paid).
I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.
I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.
The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".
Then they fixed it by adding a JWT token to the URL (and no bounty paid).
I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.