Free Article Link: Click for free!

Hello fellow researchers and security professionals,

Today, I’d like to walk you through a serious vulnerability I discovered on target.com that allowed an attacker to unauthenticatedly remove user passwords at scale. This issue, when combined with other common bugs like user enumeration and XSS, could lead to automated account takeovers affecting a large number of users.

Let’s break down the findings, starting with the core issue: Captcha enforcement and its weaknesses.

Captcha is typically used to prevent bots and automated attacks. In a secure implementation, it acts as a barrier that limits how often a particular action — like a password reset — can be attempted.

However, in this case, the captcha mechanism implemented in the password reset flow on target.com lacked effective rate limiting. This meant an attacker could continuously send password reset requests using different email addresses without ever getting blocked or throttled. Essentially, the captcha became a checkbox with no real defense power, especially when brute-forced or automated.