The $2,200 ATO Most Bug Hunters Overlooked by Closing Intruder Too Soon

Bug hunting is a mix of technical skills, persistence, and curiosity. Sometimes, the simplest bugs are overlooked because of one thing — assumptions. This story isn’t about a groundbreaking exploit; it’s about patience and why you should always follow through.

The program I was testing — let’s call it redacted.com — was well-established and heavily tested. Here’s how the web app worked:

Users log in using their email address.A 6-digit numeric OTP is sent to their email.The OTP is entered to access the account — no passwords involved.

It was a straightforward mechanism, making it an ideal candidate for testing OTP brute force vulnerabilities.

Like every bug hunter, I opened Burp Suite, captured the OTP request, and sent it to Intruder for brute-forcing. With a 6-digit OTP, there were 1,000,000 possible combinations (000000 to 999999).

At first, everything seemed normal. The requests returned 200 OK for invalid OTPs, indicating that the server was processing them correctly.

After 20 attempts, the server’s response changed. I started receiving 401 Unauthorized for all subsequent OTP guesses.

Here’s where most bug hunters stop. It’s easy to assume that the system has implemented a rate limit or lockout mechanism. Even triagers often make this assumption.

But I didn’t stop. I had a habit of letting Intruder run until it either completed the range or hit a valid OTP. My curiosity pushed me to see how the server would handle a correct OTP, even when I get 401/429 Status code.

The triager initially doubted the severity of the issue, assuming it was protected by rate-limiting. And he asked me to takeover his account

I let Intruder run. It was a test of patience — request after request, all I saw were 401 Unauthorized responses.

After nearly 200,000 requests and two hours, something incredible happened. Among the flood of 401 responses, I noticed a 200 OK status code.

When I inspected the response, I found that it contained the access token — the key to account access. The server had no real rate-limiting mechanism; it was merely returning 401 for invalid OTPs. A valid OTP still bypassed this pseudo-protection.

The program rewarded me with $2,200 for uncovering this issue.

This bug wasn’t technically complex. It was simple — anyone could have found it. But what set me apart was persistence.

Here’s why most bug hunters miss bugs like this:

They see 401 Unauthorized responses or 429 and assume the system has implemented effective rate limiting. Let it run till a valid OTP and see how it responds.They stop the Intruder before completing the range.They lack the patience to let a brute-force attack run its course.

This experience taught me a valuable lesson: don’t assume until it’s done. Bugs like these hide behind assumptions, and only those willing to push past them will uncover the gold.

Bug hunting isn’t always about advanced skills — it’s about perseverance. So the next time you see a 401/429 or hit what seems like a dead end, remember this story. Let the test run, follow through, and stay curious.

Happy hunting, and may your patience lead to great rewards!