1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation

Bug reported by Duarte was disclosed at June 20, 2026, 3:58 pm   |   Improper Access Control - Generic

A vulnerability was discovered in the Khan Academy platform that allowed an attacker to achieve full account takeover of any user. The vulnerability was caused by an unescaped dot flaw in the regular expression used to validate redirect URLs. This allowed the attacker to register a malicious domain that passed the validation check, causing the victim's authentication token to be sent to the attacker's server. The attacker could then use this token to gain full access to the victim's account. The issue was addressed by escaping the dots in the regular expression.