Tokopedia Account Takeover Bug Worth 8 Million IDR

Mukul Lohar
Dec 24, 2018 · 2 min read

Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account:
1. Go to the
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter.

6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex. &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.

Video POC:


14-Oct-2018: Reported

15-Oct-2018: Received Response


Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”

17-Oct-2018: Fixed

17-Oct-2018: 8 Million IDR Rewarded

Bounty mail

6-Dec-2018: Received Bounty.

Twitter :

Few more account takeover writeups coming . Thank for reading. Bye

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store