# 1 Click Account Take Over

* This is a write-up about a highly interesting bug bounty case from our team. It's a business logic issue that could lead to an Account Takeover with just one click. It's quite exciting to contribute to the [Hacktrick ](https://book.hacktricks.xyz/pentesting-web/account-takeover)with this finding.

<figure><img src="https://2201636059-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSfoQhbocJNOvMrmTVxh9%2Fuploads%2Fd4lit3zMtN7Pt6xSQ7NQ%2Fimage.png?alt=media&#x26;token=49e982b7-f04c-49e7-8201-cbcfb36eb9fc" alt=""><figcaption></figcaption></figure>

### TIP:

* Attacker requests to change his email with a new one
* Attacker receives a link to confirm the change of the email
* Attacker send the victim the link so he clicks it
* The victims email is changed to the one indicated by the attacker
* The attack can recover the password and take over the account

> **You can also read the full blog in this:**

{% embed url="<https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea>" %}

Thanks for reading, have a nice day :heartbeat: