I Tried Logging In… and Accidentally Did Responsible Disclosure 😅

👋 Introduction

Sahal

~2 min read · April 5, 2026 (Updated: April 5, 2026) · Free: Yes

This wasn't some planned attempt.

I was just casually exploring a mobile application, clicking around, testing different inputs basically being curious.

And then… something didn't feel right.

🤝 Responsible Disclosure

The issue was responsibly reported to the platform's security team and has been acknowledged and fixed.No sensitive technical details are shared in this article intentionally.

🤔 How I Actually Found It

I started with the signup process and entered a long, complex password.

Everything worked fine.

No errors. No warnings.

But when I moved to the login screen, I noticed something unexpected:

👉 After a certain number of characters, the app stopped accepting further input.

At first, I thought:

"Maybe this is just a UI limitation…"

So I didn't assume it was a bug yet.

🔍 Verifying the Behavior

To understand it better, I compared it with the web version of the same application.

There, the password input worked normally, even with longer passwords.

That's when it clicked:

Same system, different behavior, something isn't right.

🧪 Re-testing to Confirm

To be sure, I tested again:

Created another account
Used a long password
Tried logging in

And again…

👉 The mobile app stopped accepting input after a certain length.

Now it was clear:

This wasn't random — it was consistent behavior

🧠 Technical Insight

In a secure authentication system:

The entire password should be accepted and processed
Longer passwords should increase security, not break functionality
There should be consistency across platforms (web vs mobile)

If an application limits or mishandles password input:

It may reduce the effective password strength
It creates a gap between user expectation and system behavior
It can lead to unexpected authentication issues

My testing approach was simple:

Compare behaviors
Test edge cases (like long inputs)
Repeat to confirm consistency

No complex tools, just logic and observation.

📧 Responsible Disclosure

Once I confirmed the behavior, I prepared a proper report:

Clear explanation of the issue
Supporting observations
Structured proof of concept (PoC)

And shared it through the appropriate channel.

Then came the hardest part…

Waiting 😅

📬 Acknowledged… and Later Improved

To my surprise, the organization responded to my report.

They:

Acknowledged receiving the disclosure
Appreciated the detailed explanation and proof of concept (PoC)
Confirmed that it was forwarded to their technical and security teams for review

The interaction was professional and respectful — which is always encouraging when practicing responsible disclosure.

After some time, I revisited the application out of curiosity and noticed that the authentication mechanism had been updated, reflecting improvements in how user access is handled.

It was genuinely satisfying to see positive changes happening over time.

Thank you for taking the time to read this. I hope this experience was helpful,

See you guys…..!!!

#vdp #bug-hunting #cybersecurity