July 13, 2026
How I Turned a Magic Link Feature Into Account Takeover
Hi, I’m mrx_w_ (Adem Ziane Berroudja), a bug bounty hunter on Bugcrowd. You can find me on Twitter and LinkedIn under mrx_w_. In this…
By mrx_w_
1 min read
Hi, I'm mrx_w_ (Adem Ziane Berroudja), a bug bounty hunter on Bugcrowd. You can find me on Twitter and LinkedIn under mrx_w_. In this write-up, I'll share how I discovered an account takeover vulnerability in a magic-link authentication flow on a target I'll refer to as redacted.com.
While testing the application's authentication features, I noticed that users could log in using a magic-link feature instead of a password.
The feature was simple: enter an email address, receive a login link by email, and click the link to gain access to the account.
Since authentication flows are always interesting from a security perspective, I decided to inspect the request responsible for generating the login link.
After intercepting the request i got this :
POST /auth/api/generate-login-link HTTP/2
Host: www.redacted.com
Content-Type: application/x-www-form-urlencoded\
email=victim@example.com&redirect-url=https://www.redacted.com/POST /auth/api/generate-login-link HTTP/2
Host: www.redacted.com
Content-Type: application/x-www-form-urlencoded\
email=victim@example.com&redirect-url=https://www.redacted.com/The parameter appeared to control where the user would be redirected after completing the login process.
The first thing that came to my mind was testing whether the application properly validated the redirect destination.
After trying several values, I that the validation logic was not checking trusted domains correctly.
The application was validating the redirect-url parameter by checking whether the supplied hostname ended with redacted.com.
Because of this, domains such as:
[https://attackerredacted.com](https://attackerredacted.com`)
or
[https://random-redacted.com](https://random-redacted.com`)
were accepted as trusted destinations even though they were completely attacker-controlled domains.
In my case i put https://bugcrowdtarget.com
When the email arrived, everything appeared completely legitimate and no indication of tampering was visible to the victim.
After clicking the login button, I was redirected to my controlled domain instead of the legitimate application.
After that i bought a new domain that ends with the target domain name and used it in my exploit so now if i put my own controled domain as the redirect-parameter the victim will be redirect to my own domain which i will be able to steal his login link which contain all the needed values to login to his account
The bug was triaged as P2 and i got paid from it .