Free Article Link: Click for free!

Imagine being able to take over any user’s account on a platform — even without their interaction. No phishing, no social engineering, and no need for access to their inbox. Just a few crafted steps using the password reset feature, and suddenly, you’re inside their account with full control.

That’s exactly what I discovered on target.com during a deeper investigation into how their password reset system works. This vulnerability was not just dangerous — it was critical. It affected every user on the platform, regardless of whether they were verified or not. In this article, I’ll walk you through how a misconfiguration in their routing allowed full account takeover for any user with just their email address.

When a user requests a password reset on target.com, they receive a link in their email. This link usually leads to a secure password reset form and also includes a six-digit code. So far, that seems normal.

But here’s the problem: the six-digit code received in the email isn’t just used for resetting the password. Due to a misconfigured routing setup, this same code also works on another route — the email verification endpoint.