+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-11-11 (/Thread-HackerOne-Disclosed-Reports-2025-11-11)
HackerOne disclosed reports - 2025-11-11 - hashXploiter - 11-12-2025
High
resolved
resolved
Two click Account Takeover
Bug reported by Franc Vian was disclosed at November 11, 2025, 9:14 am | Deserialization of Untrusted Data
A vulnerability was discovered in the HEY Email Android application that allowed for a two-click account takeover. Improper handling of incoming deeplinks led to the application's authorization bearer token being sent to an attacker-controlled server if the user could be tricked into clicking a link and then performing an Undo action.