Free Article Link: Click for free!

During one of my recent assessments, I decided to take a closer look at how automated emails were being handled by the platform. While casually exploring the email flows, I stumbled upon yet another open redirect vulnerability — this time within the welcome email system itself.

While reviewing the behavior of these automated emails, I noticed a flaw that could let attackers redirect users to unintended websites. The issue lies in how download links are generated in welcome emails, allowing manipulation by anyone who sends a crafted request.

The endpoint responsible for sending welcome emails allows the sender to customize the URLs for downloading the app. Specifically, two parameters — androidUrl and iosUrl — can be controlled in a POST request. If a malicious actor replaces these URLs with links to external sites, users who receive the email will be redirected to unexpected locations.

https://api.target.com/marketing/send-welcome-email

POST /marketing/send-welcome-email HTTP/2…