High
resolved
resolved
Two click Account Takeover
Bug reported by Franc Vian was disclosed at November 11, 2025, 9:14 am | Deserialization of Untrusted Data
A vulnerability was discovered in the HEY Email Android application that allowed for a two-click account takeover. Improper handling of incoming deeplinks led to the application's authorization bearer token being sent to an attacker-controlled server if the user could be tricked into clicking a link and then performing an Undo action.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
