From Forgot Password to Forgot Validation: A Broken Flow That Let Me Take Over Accounts
1 min read
Summary
A cybersecurity researcher details an account takeover flow they discovered while looking for bugs on a company’s platform.
They had initially started a routine subdomain scan, which revealed an “Authentication Dev Portal” (auth-dev.target.com) that was likely misconfigured.
After spoofing the URL and submerging it, they found that this portal allowed password resets for any account, regardless of the domain.
This meant they could reset the password of any user, even a privileged account, and take over the entire account.
They disclosed the issue to the company, which acknowledged the problem and fixed the flow.
The company also rewarded the researcher financially for their reporting.