Hello Everyone
I hope you all are doing well. This write-up is about the Paytm Broken Link Hijacking Vulnerability.
Broken Link Hijacking (BLH) is a web-based attack where the attackers take over expired, stale, and invalid external links on credible websites/ web applications for malicious purposes. More Info 👉 BLH.
The domain has normal login functionality. Typically, I will look for rate limits, password token issues, etc. So I started hunting for rate-limit and password token-related issues, but no luck.
After some time, I was just checking emails on my mobile. So that time, I just opened this forgot password email. Usually, I will check all the links on the email template, like social media.
Here I found 3 social media links: 1 Facebook and 2 Twitter.
I just opened the Facebook link, which redirected me to their official page. There are no issues here. Then I opened the second Twitter link, and that link was broken. It’s redirected to an invalid Paytm Blog page. However, there is no impact in this case. Because that domain is owned by Paytm only.
Then I opened the 3rd Twitter link and it redirected me to the Twitter error page This Account doesn’t exist
. It means there is no user account with this username.
Immediately, I created a fake Twitter account and I changed my user name to this user name.
Whenever a Paytm user requests a forgot password, and if he clicks the Twitter link on the email template, he will be redirected to this account.
Report Timeline:
Dec 24, 2021, 08:14 PM - Reported to Paytm Security Team.
Jan 03, 2022, 02:44 PM - First Response from the Paytm Security Team.
Jan 13, 2022, 06:47 PM - The Paytm Security Team fixed the issue.
Jan 13, 2022, 07:24 PM - Re-tested and confirmed the fix
Jan 19, 2022, 09:53 AM - Awarded an Appreciation Certificate