How I Bypassed OTP Like a Devil, Leading to Full Account Takeover

Introduction:

Hello, hackers! Zero is back with another thrilling tale from my bug bounty adventures. This time, I went head-to-head with a seemingly impenetrable OTP system, only to uncover a devilishly simple bypass that led to a full account takeover. Sound exciting? Buckle up, because this story is a rollercoaster of curiosity, creativity, and responsible disclosure.

If you’re new to hacking, don’t worry — you’ll find this breakdown easy to follow and, hopefully, inspiring! Let’s dive in!

How I Did It

The target site, let’s call it radicated.com, had a simple setup:

1. OTP-based login.
2. Email and password login.
3. Google login.

Now, when I saw the OTP login option, my inner hacker thought, Can I bypass this and take over an account? The challenge was on! Spoiler: I pulled it off. Here’s how it happened.

Analyzing the OTP Request

After entering the OTP on the website, I intercepted the outgoing request. It looked something like this:

After submitting the wrong OTP, I intercepted the request and saw the server’s response. It simply said:

So, I decided to play around a bit — I intercepted the response and changed the status code to something like 200 OK. And guess what? Boom! NOTHING happened. Boo! It was a bit of a letdown, but hey, not every trick works on the first try!

So, I wasn’t ready to give up just yet. Instead of sulking, I thought, “Let’s spice things up!” I intercepted the response again — this time, I didn’t just tweak the status code; I decided to make some bold moves in the response body.

I changed the "type" field to "REGISTER", hoping it might trigger something interesting. For a second, I felt like a mad scientist flipping random switches in a lab. Would it work? Would it explode? My heart was racing as I sent the modified response back to the server...

And guess what?
BOOM! It worked like a charm. By simply tweaking the response, I was able to take over any account linked to a phone number. Just like that, I could hijack anyone’s account and claim it as my own. Hahaha! It felt unreal — like holding the master key to an entire digital kingdom.

Alright, let’s get into the juicy details!

Here’s what I actually did:
I intercepted the server’s response and decided to try something different. Instead of just messing around with the status code (like I did earlier), I made two key changes:

1. I changed the response body’s type field to "REGISTER".
2. I updated the status code to 200 OK.

Conclusion:

And that, my fellow hackers, is how I bypassed OTP and pulled off a full account takeover. Sometimes, hacking is all about thinking outside the box and playing around with the smallest details. What may seem like an ordinary request can turn into an opportunity for full control with the right tweaks. Always remember, it’s not just about brute force, but about strategy, creativity, and testing every possible vulnerability.

So, keep learning, keep experimenting, and never forget to report responsibly. Happy hacking! Happy hunting!

Follow me on X and LinkedIn for more hacking adventures, tips, and tricks! Let’s stay connected and learn together. Stay curious, stay safe, and never stop hacking!