How I Found a Way to Prolong Password Reset Code Expiry
1 min read
Summary
Web developer Ehteshamul Haq has discovered a serious security flaw on Target’s password recovery system that could allow hackers to circumnavigate the 1-hour expiry of password reset codes.
Haq claims that each time a request is made for a code, the timer resets, allowing attackers multiple hours to crack the 6-digit code, which only has 999,999 combinations.
The bug demonstrates how sometimes simple coding errors can create significant security vulnerabilities.
This is especially important considering the increasing number of high-profile attacks on websites and platforms with weak or flawed password systems.
Increasing focus on the user experience and customer-centric design could be a contributing factor to such errors slipping through the net.
The report suggests that Target has since fixed the issue.