Free Article Link: Click for free!

Sometimes, even the smallest mistakes in code can lead to serious security issues. During a recent security assessment, I found a bug that lets an attacker keep a password reset code alive for hours—far beyond its intended expiry time.

In this article, I’ll explain how the vulnerability works, how I found it, and why it can be dangerous if left unpatched.

Most websites let you reset your password by sending a 6-digit verification code to your email. This code usually expires after a short period — like 1 hour — to prevent abuse. That’s exactly what target.com claimed too.

But during testing, I found that you can request the same exact code again, and each time you request it, the 1-hour expiry resets. So instead of the code dying after 1 hour, you can keep it alive for 2, 3, or even more hours, just by repeating the request before it expires.

It’s like being told your parking meter runs out in 60 minutes — but every time you check your meter before time runs out, the clock resets to 60 again.

This bug may sound small, but here’s the problem: the 6-digit code only has 999,999 combinations. That’s not a lot. If…