0-Click Mass Account Takeover via Password Reset Functionality

In the name of Allah, the Most Beneficent, the Most Merciful

.بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد
Hello Hunters ,
Welcome to my first write-up in bug bounty!

I had the pleasure of collaborating with @h0tak88r on a private bug bounty program on HackerOne.
Together, we uncovered an “0-Click Mass Account Takeover via Password Reset Functionality”.

Let’s start the story!

During Collaboration with my friend sallam , The vulnerability We found resides in the password reset mechanism.

Overview:

we identified a critical vulnerability in Target.com’s password reset functionality that allows an attacker to take over any account without requiring user interaction. This flaw stems from improper validation of the password reset verificationCode, enabling attackers to exploit the password reset process through fuzzing.

We initiated a password reset for an account on Target.com and received a reset link:

https://www.target.com/auth/#/resetPassword/abcd123

The link contained a verificationCode (abcd123).
We replaced this code with random values (e.g., abcd123 → FUZZ) to see how the system would respond.

To our surprise, the server consistently returned a 200 OK status without any indication of whether the code was valid or not.

Digging Deeper: Monitoring the API Requests

We proceeded with the password reset process and closely monitored the network traffic. During this, we observed the following API request:

POST /ws/account/reset-password HTTP/2
Host: www.target.com
Content-Type: application/json
Content-Length: 74

{"password":"NewPassword123","verificationCode":"abcd123","recaptchaToken":"<recaptcha_token>"}

This was where things became interesting. We decided to fuzz the verificationCode directly in this API request and encountered reCAPTCHA challenges.

Although we couldn’t bypass reCAPTCHA, we noticed that setting the recaptchaToken to true provided valuable error messages:

Invalid Codes resulted in a 400 Bad Request.Valid Codes led to a 401 Unauthorized, indicating a valid code but with failed reCAPTCHA validation.HTTP/2 400 Bad Request
{"resultCode":"UNKNOWN_VERIFICATION_CODE","errorMessage":"Unknown verification code."}HTTP/2 401 Unauthorized
{"errorMessage":{"code":"authorization.invalid_recaptcha","params":{}}}
These responses allowed us to distinguish between valid and invalid codes.

These responses allowed us to distinguish between valid and invalid codes.

Boooom…!!!

Armed with this knowledge, an attacker could:

Initiate a password reset for their own account.Fuzz the verificationCode parameter to find valid codes.Replace their own verification code with a valid one obtained from fuzzing.Submit the request to reset the password of the targeted account.

By doing so, an attacker could take over accounts, potentially compromising a large number of users.

What started as a simple password reset feature revealed a major flaw that could have led to widespread account compromises.

Hope you liked the writeup.
Have a good day!! Happy hunting :)