I recently decided to begin my bug bounty journey *seriously*. Instead of jumping into big-name programs and feeling overwhelmed, I chose a random public website to practice on. My goal was simple: learn, break things ethically, and maybe find something interesting.

I didn't expect the website to help me this much.

The first thing I noticed was the login page. No email. No username. Just a **contact number** and a **password**. That alone was enough to make my hacker senses tingle. Phone-number-based authentication always looks innocent… until it isn't.

So I did what any curious bug bounty hunter would do — I switched into OSINT mode😎 . I searched LinkedIn, Googled around, and looked for employees connected to the company. After some digging, I found one profile that looked promising. A little more public research later, and boom — I had a contact number that seemed legit.

Great. Contact number? Password?

That's when my favorite feature came to the rescue.

**"Forgot Password" ❤**

I clicked it without hesitation. The flow was simple: enter the contact number, receive an OTP, and reset the password. When the OTP arrived, I noticed something… suspicious. It was only **four digits** long. No CAPTCHA. No warning. No "try again later" message.

At that moment, my brain went: *"Hmm… should I?"* Also my brain: *"Of course you should."*

I intercepted the OTP verification request using **Burp Suite** and sent it straight to **Intruder**. I set up a basic brute-force attack for all 4-digit combinations and hit start. I leaned back, took a sip of water, and waited.

And then… **Boom💥**

I had the correct OTP.

Using that OTP, I reset the password and successfully logged in as a real user. I stared at the screen for a second, slightly confused, slightly impressed, and slightly concerned .

👉POC 1-:OTP brute-force using Burp Intruder

None

👉POC 2

None

👉POC 3

None

👉 POC 4

None

👉 POC 5

None

👉 POC 6

None

👉 POC 7

None

👉 POC 8

None

Just when I thought I was done, the application decided to surprise me again. Inside the login options, I noticed another feature: **Login with OTP**. No password required. Just a phone number and an OTP.

At this point, it felt illegal *not* to test it.

I tried the OTP login flow. Same four-digit OTP. Same missing protections. Same unlimited attempts. I repeated the same steps — intercept, Intruder, brute-force — and once again…

**Boom Logged in. Again.💥**

Now it was crystal clear. If an attacker knows a valid phone number, they can take over accounts effortlessly. No password guessing. No phishing. Just brute-force and vibes heheheheh.

This wasn't some complex vulnerability. It was a combination of small mistakes — weak OTP length, no rate limiting, no lockout, and no verification controls — that together created a full authentication bypass.

### How This Can Be Fixed

To prevent this, the application should enforce strict rate limiting on OTP verification attempts and limit failed attempts per user and per IP. OTPs should be at least six digits long and expire quickly. Adding CAPTCHA after multiple failures and temporarily locking accounts would drastically reduce abuse. Proper monitoring and alerting for repeated OTP failures would also help detect attacks early.

### Final Thoughts

This experience reminded me that you don't always need advanced exploits to find serious bugs. Sometimes all it takes is curiosity, Burp Suite, and a four-digit OTP that trusts users a little too much .

POCs and screenshots are added for clarity. happy hacking……..