Easy Way For Bounty , OTP Bypass !!!

Hello amazing Hunter.

Today I want Talk about one of my Report that i can’t Believe after a long time other Hunters dose not report it as soon as possible.

First of all my name is Arman and this is my first post and i hope be Helpful for you. Let’s go …

I choose a program in small platform which the last 10 reports was Duplicated But the site has a lot of functions that means ….Challenge accepted…..😎

So around 3 ~ 4 Days i found an IDOR and something else but unfortunately all of them was Duplicate :) okey , I am fine…

Let’s talk about how website work in registering. that was really close other flow , when user enter email and password for authentication an OTP code send to email and after enter code , We successfully login in to the account.

I spend some hours to analyze all the requests after a long time i notice that there is nothing to verify my email 😁 . Let me explain more exactly what i mean.

Usually if we capture the request for verify OTP code, we have some parameters in body or Cookie 🍪 to show this OTP code is for which user

Example :


but in this senior we have nothing in requests for verify that OTP is for my email. it means that ….

Step By Step:

  1. Register with abc@evil.com and get OTP 123 but don’t enter OTP. ( browser 1)
  2. In other browser registers with def@evil.com and OTP 456 but don’t enter OTP Again. ( browser 2)
  3. Enter 123 OTP for def@evil.com and 456 for abc@evil.com
  4. Browser 1 successfully login in to def@evil.com and browsers 2 successfully login in to abc@evil.com

I immediately report the bug and it triaged next day😎

I Hope this write up was Helpful for you. Have Good Day






Maybe Hunter But absolutely a movie fan :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store