Recently, Freelancer has announced a Bug Bounty Program. Details are available here: Freelancer Vulnerability Submission. Well, as Freelancer has newly announced the program to reward Security Researchers for Responsible Disclosure of Security Vulnerability in Freelancer.com, so I am damn sure that it would be vulnerable to many attacks as Security Researchers haven’t headed towards it yet.
However, simple and fastest vulnerability to find is Cross site Scripting aka XSS vulnerability in Freelancer. So I just did the following steps to successfully discover the hidden pop-up message.
Well, to find out this, I retracted/ cancelled my bid (as freelancer) from the project. And again submitted bid on same project, but this time, I slightly modified the payload in description, and a different one in message field while submission.