Password Bypass and Something Else…

Hello guys

This is Vibhurushi Chotaliya. I hope you doing well…

This post is about i was able to bypass password protection when add some bank details and something else.


  1. After login when i add bank details it ask me account password.
  2. So i enter the correct password,catch the request in burp.i got response like {“status”:”success”,”data”:{“message”:”Authentication successful.”}}
  3. Now i’m able to change my bank details.
  4. Again i’m re-login in my account, this time i enter wrong password and catch the request in burp.i got response like {“status”:”error”,”data”:”Incorrect password. Please try again."}.
  5. Now you are thinking i was change the response and bypass it…yes you are right.
  6. Again i enter wrong password,catch the request in burp,again i got response like {“status”:”error”,”data”:”Incorrect password. Please try again.”}. then i replaced with this response{“status”:”success”,”data”:{“message”:”Authentication successful.”}} and i bypass the password protection.

Password Bypass Done.Now Some Thing Else.

  1. I reported this issue 06 Feb 2018 to that bug bounty plateform(sorry i can’t disclose the name).
  2. That plateform closed(sorry for not disclosing the status of report) my report.because they don’t think about the risk of xys Pvt. Ltd.i tried a lot to convinced them about the impact of this issue, but i was fail.
  3. Few days ago i was just check my all reports. i see my Password bypass report i just open it and back again then i close my browser and shutdown the laptop.
  4. After 2 minute,i got the idea and i thought that what happen if i report directly to the xyz Pvt. Ltd. I open my laptop,again i report the issue to xyz Pvt. Ltd. via support address. i report this issue on date 10 March 2019
  5. On day 11 March 2019 they reply me back and say we are looking into the matter.
  6. At morning of 12 March 2019 i got mail from that Bug Bounty Plate Form and saw closed change to accepted and they reward me 600$. OMG I was totally report was accepted after One year +One Month.

Guys i wanted to tell you is that if you really think your report has a significant impact then still they closed(without Resolve)your report. Contact directly to that private organisation. definitely you will get answer.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store