Stealing app credentials by reflected xss on Lark Suite

A reflected cross-site scripting (XSS) vulnerability was found on a Lark Suite endpoint via the 'next' parameter which an attacker could have potentially used to obtain app credentials (must first know the app ID). We have resolved this issue and thank @imran_nisar for reporting this to our team.