Exploiting magic links, critical bugs are one line away

~ 3 minute read
Crafted : 9 months ago Updated : 9 months ago
#cybersecurity #websec #bug-bounty #writeup #vulnerability #smfd #covid2019

Hello, luvs,

I haven't blog for a while, we are facing a sad pandemic  ūüė∑so I've decided to create this to make an important announcement, and also entertain you with an interesting vulnerability I've found. please read the short intro.


Table of Contents


A short intro 

This post is gonna be short; it shows you the worlds shortest P1  which only means one thing, the bugs you are not finding are the bugs you are not looking for ! you hear this on twitter these days well here is the proof how right is it. Also, I want to announce we've made SMFD free for the current sad #COVID2019 situation. Please you can read the whole announcement here.  

Why Razer?

When I was a teenager, I had this cool razer mousepad and mouse and used it for playing pro-counter-strike :D, so I saw they have a bug bounty program on HackerOne, and for the sake of good past memory I gave it a shot, I found some interesting subdomains, and I've spent some time on the main app.


This issue is patched now so the links aren't going to work. While poking around I've found an interesting page, 


, it contains some interesting Javascript code:

var razerId = 'razer######';




    var loginContactID = Number('20#####');

    if(loginContactID == 0)


        window.RzSdk = function() {


        client_id: '3acd8fd57cc5de89d69237a9726abd#######',

        scope: '',




        window.setInfo = function(info) {



            console.log("has error");











most notable is the endpoint:


With the exciting name of "login User From CP," it seems to take few parameters, so I tried with an invalid parameter, and the application returned a regex error.



error:Pattern does not match: value 'h1' does not match pattern '^((([-_!#$%&'*+/=?^~{|}\w]+(.[.]?[-_!#$%&'+/=?^~`{|}\w]+))|("[^"]+"))@[0-9A-Za-z]+([-]+[0-9A-Za-z]+)(.[0-9A-Za-z]+([-]+[0-9A-Za-z]+))+[; ]*)$'; Contact.Emails[0].Address

`Interesting but this is just a partial code disclosure without security impact alone (rather than knowing how we can possibly bypass this)

so next I tried to enter my test username

https://razer--tst1.custhelp.com/cc/Integration/RazerIDAuth/loginUserFromCP?&account=0xsha%[email protected]

then I see a redirect to 


but if we visit 


, it logs us in as the user who can create a case. During my current test, when you login using this link, we can not see support cases of the user (different DB ?), but you can trigger an email from the razer or open and view any cases created there without authentication.

  1. open a new clean browser and visit
    (It should ask for authentication)
  2. now visit PoC URL 
    &account=0xsha%[email protected]
     (it should redirect you to razed-id but do not log in)
  3. visit
    , We can see the ticket.

Finally, I checked the vulnerable path main domain 


There we go one-liner p1


https://mysupport.razer.com/cc/Integration/RazerIDAuth/[email protected]

I this point, I knew its a severe bug, so I report it, but it turns out it was a duplicate, found by @p3rr0he, also took the future and recover the correct primary support email username (brute force and contact pages, support subdomains are at least to few places to find.)


Here is how the final panel looked like. 





Feb 17th Reported Issue.

Feb 18th Nice find and good work on this; unfortunately, it's duplicate.

Mar 4th Issue Resolved.  

Okay, that's it what a beautiful bug!

#StaySafe #StayHome





Assist me:
Buy Me a Coffee at ko-fi.com