Well that’s one layer, but when you decode a url, you’re probably going to get a url, and then it’s going to go to that url
So now you just made them to to a website. What’s there? Whatever you want. Maybe you ask them for Facebook/Google/GitHub or whatever authorization to see their name and email, which a lot of people would do. Then redirect them to a page saying “now I know who you are, delete the photo, <user>”
Or you could send them a payload based on fingerprinting their request, you could give them a fake page to steal their password, etc
Well that’s one layer, but when you decode a url, you’re probably going to get a url, and then it’s going to go to that url
So now you just made them to to a website. What’s there? Whatever you want. Maybe you ask them for Facebook/Google/GitHub or whatever authorization to see their name and email, which a lot of people would do. Then redirect them to a page saying “now I know who you are, delete the photo, <user>”
Or you could send them a payload based on fingerprinting their request, you could give them a fake page to steal their password, etc