The author experienced an OTP bypass when changing their phone number on a ride-sharing app, allowing them to update the number without verification.
This posed a critical vulnerability as an attacker could hijack any account by simply entering four zeros as the authentication code.
Using a proof-of-concept video, the author demonstrates how to exploit the vulnerability using the following steps:
Explore the account settings to change the phone number.
Enter a new phone number.
Bypass the OTP by entering “0000” instead of the real code.
Update the phone number, bypassing all security protocols.
The author uses debugging tools to analyze the vulnerabilities in the request and identify the issue.
They encourage bug bounty hunters to look for similar vulnerabilities in authentication processes across various platforms.
The author polled participants to determine their average hourly payout in order to extrapolate the earning potential for this particular bug.
The resulting calculation assumes a conservative estimate of 3 hours for the discovery and write-up, and includes a calculation of the potential earning power.
This is contrasted with the fact that many bounty hunters undervalue their time and expertise.