This is an old note I never got around to posting until now. Back when I was fuzzing Toyota's Bug Disclosure Program, before I realized how limited their scope was, I was grepping their subdomains for generic open redirects in hopes of chaining small bugs together for escalated impact. Using an open-redirect for XSS, SSRF, or SQLi. And I did in fact stumble over such a vulnerability.