One-click account takeover: Deep link to Open redirect to XSS on subdomain to Attacker-controlled URL.

Victim clicks chat link, attacker gets auth token. Simple.