Couldn't you just demonstrate the exploit by resetting any password? (by a willing participant, so as not to be considered as doing something illegal). I wonder how your tech lead could deny that.
"Eh that required too much work, no one will try that in real life"
"Oh you were smart enough to open the dev tools and see that, that won't happen irl"
"oh users don't have important enough info stored on this account so it won't hurt to have someone access it" (<- literally a reasoning used by a site I used in defense of poor security. "the attacker only gets access to your last name and the last 4 digits of your credit card, that's not bad enough to need more security")
Don't put it past an incompetent/lazy/underfunded tech lead to dismiss even a one-click account takeover script.
"Oh you were smart enough to open the dev tools and see that, that won't happen irl"
"oh users don't have important enough info stored on this account so it won't hurt to have someone access it" (<- literally a reasoning used by a site I used in defense of poor security. "the attacker only gets access to your last name and the last 4 digits of your credit card, that's not bad enough to need more security")
Don't put it past an incompetent/lazy/underfunded tech lead to dismiss even a one-click account takeover script.