.png)
9 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
whoami ¯\_(ツ)_/¯
Hello, fellow bug hunters and cybersecurity geeks! I’m Yash Nimbalkar. Currently pursuing my Master’s degree in Cyber Security, I spend my time sometimes poking around platforms to see if they’ve left any digital doors open.
Today we will be discussing about how I was able to leak Personally Identifiable Information (PII) of users and password reset tokens, creating a significant security risk. Let’s dive into it!
It all started with a simple curiosity. As usual I was looking out for target sites to do some testing and I came across target.com, a well-known platform trusted by countless users. It was a SEO company which helped its clients to boost their ad revenue and also helped them to increase their audience. But after some searching, what I found this time was more alarming than I had expected.
As usual I began my testing on the site by trying to create an account. But after visiting console.target.com, I saw that there was no option to Sign Up or Register for an account. I tried to directly visit the following pages:
1. console.target.com/signup
2. console.target.com/register
But this gave me the “Page Not Found” error :(
So, after facing this issue, I shifted my focus on the other aspects of the site but it was mostly a static site so there was nothing much that I could do.
After a bit more searching, I landed upon the About Us section of the site. There were the names of the Team Members. Then I got an idea, what if I craft the email such as firstName.lastName@target.com then I might try something out of the login page.
So I went back to console.target.com and clicked on Forgot Password. In the password email I pasted the email which I had crafted. Captured the request in Burp, and to my surprise, it worked 🎉
Not only did it work, but the response contained the complete details of the employee, such as their id, role_id, username, email, Phone number, address and most importantly the reset password token.
That time I knew that this was serious. But now I faced another problem. I did not have any password reset link to use the token. So I turned up to waybackurls to see if there was any password reset link present. And turns out that there was a link already present.
I quickly grabbed up the link and pasted the reset token in it and voila! I was able to get into the account of any of the employee with this bug.
As my mind raced as I tested another email. The result was the same. And when I entered admin@target.com, the consequences became even graver. The admin’s personal details and reset token were also exposed.
This wasn’t just a vulnerability — it was a glaring security breach.
The real danger wasn’t just in the ease of access. It was in the scale of exploitation. Attackers wouldn’t have to brute-force anything. Instead, they could:
Collect public employee emails.Extract PII from the password reset response.Gain unauthorized access to multiple accounts, including admin accounts.This incident highlights the importance of secure password reset mechanisms and proper data handling. Organizations should take proactive measures to prevent such vulnerabilities, including:
Avoiding the exposure of sensitive information in API responses. PII and reset tokens should never be included in plaintext.Implementing secure, one-time password reset links that expire quickly and are sent only via secure channels.Using multi-factor authentication (MFA) to add an additional security layer to password reset processes.Regularly auditing security workflows to identify and mitigate vulnerabilities before they can be exploited.Ensuring these security practices are in place helps protect user data, maintain platform integrity, and build trust with users. Security should always be a continuous process, not a one-time fix.
I’m always eager to learn and grow in the field of cybersecurity. If you’d like to collaborate or discuss vulnerabilities, let’s connect:
LinkedInX (formerly Twitter)Together, we can make the web a safer place, one vulnerability at a time. 🚀
Good Luck! Happy Hunting!
Bengali (Bangladesh) · 
English (United States) ·