Unverified Email Change Flaw on Apps.Target.com: A Sneaky Account Takeover Trick
1 min read
Summary
Security researcher Dominik Benz has discovered a flaw on apps.target.com that permits an attacker to take over any email address without needing any verification.
This is done by creating two accounts, one with the attacker’s email and one with the victim’s.
The attacker then changes their details to the victim’s email address, without the change being verified.
The attacker then enables two-factor authentication (2FA) so if the victim tries to access their own account, they are locked out.
This type of attack is described as ” Account Takeover” and is increasingly popular among cybercriminals because taking over one account is a first step towards stealing other connected accounts.
It is also possible to take over a Facebook account through a similar method.