Hello Everyone….

Lohith Here, (Sr.Security Engineer & Ethical Hacker from Bengaluru). ‎‎‎‎‎I hope you all are doing well.

This write-up is about Paytm Broken Link Hijacking Vulnerability.

Broken Link Hijacking (BLH) is a web-based attack where the attackers take over expired, stale, and invalid external links on credible websites/ web applications for malicious purposes. More Info 👉 BLH.

The domain has normal login functionality. Typically, I will look for rate-limit, password token issues, and so on. So I started hunting for rate-limit and password token-related issues, but no luck.

After some time, I was just checking emails on my mobile. So that time, I just opened this forgot password email. Usually, I will check all the links on the email template, like social media.

Here I found 3 social media links: Facebook, and Twitter.

I just opened the Facebook link and it redirected me to their official Facebook page. No issues here. Then I opened the second Twitter link, and that link was broken. It’s redirected to an invalid Paytm blog page. However, there is no impact in this case. Because that domain is owned by Paytm only.

Here is the interesting part…

Then I opened the 3rd twitter link and it redirected to.…….😁

Yeah…. It redirects to the Twitter error page (“This Account doesn’t exist”). It means there is no user account with this username.

Hacker Mode On 🎭…

Immediately, I created a fake Twitter account and I changed my user name to this user name.

The final part…

Whenever a Paytm user requests a forgot password, and if he clicks the Twitter link on the email template, he will be redirected to this account.

Report Details:

• Dec 24, 2021, 08:14 PM— Reported to Paytm Security Team.
• Jan 03, 2022, 02:44 PM — First Response from Paytm Security Team.
• Jan 13, 2022, 06:47 PM — Paytm Security Team fixed the issue.
• Jan 13, 2022, 07:24 PM— Re-tested & confirmed the fix
• Jan 19, 2022, 09:53 AM — Awarded an Appreciation Certificate