CSRF to ATO: How I Took Over Accounts on Target.com with One POST Request

The author discovered a CSRF vulnerability on target.com which allowed them to update a user’s email address to their own without any anti-CSRF checks in place.
This meant that they could construct a phishing site which auto-submitted the login form on target.com to change the user’s email address.
This vulnerability would allow an attacker to gain access to a user’s account simply by getting them to visit a malicious webpage while they were logged in to target.com.
The vulnerability was discovered through plain HTML inspection of the website, with no need for JavaScript manipulation.
The author was then able to use the forgot password functionality to intercept an SMS-based 2-factor authentication code and reset the user’s password, fully taking over the account.

Fast Feed