# Paytm's Broken Link Flaw

**Hello Everyone**

‎‎‎‎‎I hope you all are doing well. This write-up is about the **Paytm Broken Link Hijacking** Vulnerability.

B**roken Link Hijacking (BLH)** is a web-based attack where the attackers take over expired, stale, and invalid external links on credible websites/ web applications for malicious purposes. More Info 👉 [**BLH**](https://www.indusface.com/blog/what-is-broken-link-hijacking/#:~:text=Broken%20Link%20Hijacking%20%28BLH%29%20is,resources%20from%20external%20URLs%2F%20points.)**.**

The domain has normal login functionality. Typically, I will look for rate limits, password token issues, etc. So I started hunting for rate-limit and password token-related issues, but no luck.

After some time, I was just checking emails on my mobile. So that time, I just opened this forgot password email. Usually, I will check all the links on the email template, like **social media**.

Here I found 3 social media links: **1 Facebook** and **2 Twitter**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708365033810/b70a31ca-9d14-48a6-b74c-d0280d627b0c.png align="center")

I just opened the Facebook link, which redirected me to their official page. There are no issues here. Then I opened the second Twitter link, and that link was broken. It’s redirected to an invalid **Paytm Blog** page. However, there is no impact in this case. Because that domain is owned by **Paytm** only.

Then I opened the 3rd Twitter link and it redirected me to the Twitter error page `This Account doesn’t exist`. It means there is no user account with this username.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708365051551/0d4396b6-bc79-4c13-b27d-ee0b2a3f757d.png align="center")

Immediately, I created a fake Twitter account and I changed my user name to this user name.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708365075081/be604378-3730-404a-9593-138415ee59f2.png align="center")

Whenever a Paytm user requests a forgot password, and if he clicks the Twitter link on the email template, he will be redirected to this account.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708365084467/001632c8-bf33-4811-b716-be719e415fd6.png align="center")

**Report Timeline:**

* **Dec 24, 2021, 08:14 PM** - Reported to Paytm Security Team.
    
* **Jan 03, 2022, 02:44 PM**  - First Response from the Paytm Security Team.
    
* **Jan 13, 2022, 06:47 PM**  -  The Paytm Security Team fixed the issue.
    
* **Jan 13, 2022, 07:24 PM** - Re-tested and confirmed the fix
    
* **Jan 19, 2022, 09:53 AM  -** Awarded an [**Appreciation Certificate**](https://twitter.com/lohigowda_in/status/1483709274199310336?s=20)
