July 16, 2026
A Newsletter Confirmation Link That Doubled as a Permanent, Non-Expiring Login Token
Summary

By NorthSideHacker
2 min read
Summary
A newsletter signup confirmation email contained a link with a token parameter that functioned as a full, standalone authentication credential — no session, cookies, or password required. Simply possessing the link was sufficient to gain authenticated access to the associated account's cart and checkout flow. The token showed none of the properties expected of a short-lived, single-use credential: it worked in a completely clean browser, survived logout, survived a fresh login on another session, survived a full password change, remained valid past 60+ minutes with no observed expiry, and could be reused repeatedly with no single-use enforcement.
Steps to Reproduce
- On one browser/device, log into an account normally.
- On a separate, clean/incognito browser, visit the site and submit the same account's email address to the newsletter signup form.
- Open the resulting confirmation email and copy the link, which contains a long hex token parameter.
- Open that link in a fully clean browser with no prior session — immediate authenticated access is granted.
- Log out on the original browser, then replay the same link — still authenticated.
- Log back in on the original browser (establishing a new session), then replay the link again — still authenticated.
- Change the account password, then replay the link once more — still authenticated.
- Replay the link several additional times in a row — continues to work, no single-use restriction observed.
- From the authenticated state reached via the link: cart contents can be edited, a new delivery address can be added, and checkout can be reached with the saved payment method selectable.
Impact
- Full unauthenticated account access — no password, active session, or cookie is required, only possession of a link that was sent via email and could plausibly be forwarded, leaked, cached, or intercepted.
- Persists through every standard remediation step a user would take — logging out, logging back in, and changing the password all failed to invalidate the token. A victim who suspects compromise and changes their password would have no reason to believe the exposure is still active, when it is.
- No expiry and no single-use enforcement, meaning a single leaked link grants indefinite, repeatable access rather than a one-time window.
- Concrete fraud path: with cart, address, and checkout access, an attacker can add a new delivery address and complete an order against the victim's saved payment method — effectively redirecting a paid order to themselves without ever needing credentials.
- Root cause implication: a token intended for a low-stakes purpose (confirming a newsletter signup) was implemented with the same broad authentication power as a real login session, without any of the safeguards a login credential would normally require (expiry, single-use, invalidation on password change).
Fix
Tokens issued for low-sensitivity actions like newsletter confirmation should never carry general authentication privileges. If a "magic link" style token is intended to log a user in, it needs to be treated with the same rigor as any other authentication credential: short expiry window, single-use enforcement, and invalidation tied to security-relevant events — logout, new login, and especially password change should all immediately revoke any outstanding tokens tied to that account. As a general principle, a token's scope and lifetime should match the sensitivity of what it grants access to, not the sensitivity of the action that originally issued it.