How I Bypassed BookMyShow’s OTP Limit with Just a Space & Got ₹1000 for It!
1 min read
Summary
Blogger Sneha Annalinga found a bug in BookMyShow’s rate limit on its one-time password (OTP) authentication system two years ago.
The Indian movie booking system allows for three OTP requests per mobile number before it blocks the number, to stop potential attackers from gaining multiple authentication requests.
However, Annalinga found that simply adding a space to the end of a mobile number allowed the quota to reset and thereby continually send OTPs to the same number.
Annalinga reported the bug and was paid $1,000 as part of the site’s responsible disclosure process.