OTP Login Rate Limit Bypass — The Easiest Bug for Beginners to Discover

My article is open to everyone; non-member readers can click this link to read the full text.

“This story was originally published on my previous Medium account, which was unfortunately deleted. The original post garnered significant attention, with many views and followers, and I’m republishing it here to share my journey with a new audience and reconnect with readers who may remember it.”

Hello friends,

Today, I’m going to share a vulnerability that might motivate beginners struggling to find their first bug. It’s a simple yet impactful issue: OTP login rate limit bypass. If you’re new to bug bounty, I highly recommend testing for this, as it’s easier to find than other technical vulnerabilities. Look for web applications or mobile apps that allow users to log in using OTP.

Finding the Bug

I started by searching for Indian startup web applications and luckily found a few that used OTP-based login. This write-up is about one such case that I found in cricheros.in and the method I used to exploit it.

I picked the website, entered my mobile number on the login page, and requested an OTP. As expected, I received a 6-digit code on my phone. But instead of entering the correct OTP, I deliberately entered a wrong 6-digit number while monitoring the network requests using Firefox’s Developer Tools.