You could pass any URL in the
tl parameter of the Capital One Investing login
page, and get redirected to any site on the Internet. An attacker could use
this to redirect a user to an untrusted site, and potentially phish for users
This error has since been fixed.
If you were already logged in, you are automatically redirected to the URL
tl parameter. An attacker could use this to present a URL for
capitaloneinvesting.com that immediately redirects to their phishing site.
More information about this class of vulnerability is available here: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
February 12: Initial report
March 5: Reach a security engineer for Capital One
May 12: Disclosure deadline end; notice the error has been fixed.