| 2778 | Is Math.random() Safe? from missing rate limit to bypass 2fa and possible sqli |
Race condition
Lack of rate limiting
OTP bypass
SQL injection |
NA |
Yasser Mohammed (@boomneroli) |
Bug Bounty | 2021-02-20 | 2023-06-13 |
| 2699 | OTP brute-force via rate limit bypass |
Bruteforce
Lack of rate limiting
OTP bypass |
NA |
Bilal Muqeet (@blmqt) |
Bug Bounty | 2021-03-21 | 2023-06-13 |
| 2636 | Lets Learn English - Hacking 10M+ Users |
AWS misconfiguration
Insecure Firebase database
OTP bypass
Account takeover
Logic flaw |
NA |
Aseem Shrey (@AseemShrey) |
Bug Bounty | 2021-04-17 | 2023-06-13 |
| 2535 | How I turned 0000 into $600: Phone Verification Bypass |
OTP bypass |
NA |
Shrirang Diwakar |
Bug Bounty | 2021-05-21 | 2023-06-13 |
| 2502 | 403 Forbidden Bypass |
OTP bypass
Exposed registration page
XSS |
NA |
th3.d1p4k (@DipakPanchal05) |
Bug Bounty | 2021-06-04 | 2023-06-13 |
| 2248 | How I can take over any user’s account with their mobile number |
Account takeover
OTP bypass
Authentication bypass |
NA |
Sushmitha Katikitala |
Bug Bounty | 2021-09-06 | 2023-06-13 |
| 2190 | Improper phone number validation to account takeover |
Logic flaw
OTP bypass
Account takeover |
NA |
shesha sai_c (@Cyb3r_4ss4s1n) |
Bug Bounty | 2021-09-27 | 2023-06-13 |
| 2181 | How I found bug on Google Cloud |
OTP bypass |
Google |
Anuragbhoir11 |
Bug Bounty | 2021-09-30 | 2023-06-13 |
| 2148 | 500$ Bug: Sensitive Data Exposure to Broken Access Control leads, How I able to take over any account of India’s Biggest College Ever.👨💻 |
OTP bypass
Account takeover
Password reset |
NA |
Gowtham_Naidu (@NaiduPonnana) |
Bug Bounty | 2021-10-13 | 2023-06-13 |
| 2029 | Bypassing Box’s Time-based One-Time Password MFA |
OTP bypass
MFA bypass |
Box |
Tal Peleg |
Bug Bounty | 2021-12-02 | 2023-06-13 |
| 2024 | How I managed to hack User accounts of a billion-dollar sport platform |
OTP bypass
Bruteforce
Lack of rate limiting |
NA |
Vishnuraj |
Bug Bounty | 2021-12-04 | 2023-06-13 |
| 1910 | Mixed Messages: Busting Box’s MFA Methods |
OTP bypass
MFA bypass |
Box |
Tal Peleg |
Bug Bounty | 2022-01-18 | 2023-06-13 |
| 1778 | Hacking Subscription Plans for free service. |
Payment bypass
OTP bypass |
NA |
Muhammad Khizer Javed (@khizer_javed47) |
Bug Bounty | 2022-02-27 | 2023-06-13 |
| 1569 | Its all about 2fa bypass, or Account Takeover |
Password reset
Account takeover
OTP bypass |
NA |
anjaneyulu kanakatla |
Bug Bounty | 2022-05-08 | 2023-06-13 |
| 1565 | Account verification code bypass lead to a $4000 bounty |
OTP bypass |
NA |
Mohsin Khan (@tabaahi_) |
Bug Bounty | 2022-05-08 | 2023-06-13 |
| 1448 | Account Takeover by OTP bypass |
Information disclosure
Client-side enforcement of server-side security
OTP bypass
Account takeover |
NA |
Vaibhav Kumar Srivastava |
Bug Bounty | 2022-06-19 | 2023-06-13 |
| 1398 | Exposing Millions of Voter ID card users’ details. |
IDOR
OTP bypass
Account takeover
Logic flaw |
CERT-In |
Aziz Al Aman (@nxtexploit) |
Bug Bounty | 2022-07-06 | 2023-06-13 |
| 1003 | Bugcrowd — Tale of multiple misconfigurations!! ❌ |
Account takeover
OAuth
OTP bypass
Password reset |
NA |
Vaibhav Lakhani |
Bug Bounty | 2022-10-04 | 2023-06-13 |
| 290 | How I chained multiple High-impact vulnerabilities to create a critical one. |
Account takeover
IDOR
OTP bypass
HTTP response manipulation |
NA |
Vinay Jagetiya (@princej_76) |
Bug Bounty | 2023-03-17 | 2023-06-13 |
| 272 | Story of a Beautiful Account Takeover. |
Account takeover
OTP bypass |
NA |
Ambush Neupane (@N_ambush) |
Bug Bounty | 2023-03-23 | 2023-06-13 |
