.png)
2 days ago
14 BOOK THIS SPACE FOR AD
ARTICLE AD
✅Free Article Link
Here’s my one more write-up. This time, we’re talking about an OTP Bypass that could have led to massive account takeovers on a well-known ride-sharing app. Let’s dive in! 🕵️♂️💻
I discovered a critical vulnerability in ***** that allowed an attacker to take over any phone number linked to an account. The issue? A broken OTP validation process. 😱
1️⃣ Open the ***** app and go to Account Settings.
2️⃣ Choose to update your phone number.
3️⃣ Enter a new phone number.
4️⃣ The app prompts for a 4-digit OTP verification.
5️⃣ Instead of the real OTP, simply enter “0000”.
6️⃣ BOOM! 🎉 The phone number gets updated — without any verification! 🤯
This bug was so simple yet dangerous, allowing anyone to hijack accounts just by entering a default OTP. A proof-of-concept video even demonstrated this working with a random number. 📹😨
Here’s the detailed step-by-step guide on how I found and exploited this vulnerability:
Logged into the ***** app.Navigated to the Account Settings page.Found the option to change the phone number.Entered a new phone number and clicked Submit.The app sent an OTP request to my number.Used Burp Suite to intercept the request and analyze the response. 🔎
Bengali (Bangladesh) · 
English (United States) ·