How i could hack into any OLX account !(Full Account Takeover without user interaction)

I wanted to sell my old laptop , installed the OLX app in my phone.Posted the ad and then thought about testing some of the newly gained knowledge about mobile app penetration testing , decided started with a dynamic analysis.

I launched the Swiss Knife of Hackers , Burp Suite ,Proxied my browser and started fiddling with the OLX registration and login page . Found no issues , moved to the mobile app.

I set up the certificate in my android device and launched the OLX app on my phone. Starting from the registration and login again , noticed that the verify OTP end point was missing any rate limit , since the OTP had only 4 digits the domain of the attack was from 0000 to 9999 meaning only 10,000 requests . I tested this with my mobile number but the same was valid for every account , you could randomly login into any account .

Double checked the bug and

• Sent a mail to the OLX support team on 26th June.
• Sent a complete report with video explanation on 6th July.
• Received acknowledgement and a thanks email from OLX.
• Within a few days the issue was fixed , now the number of attempts are limited.

Also i got a thank you call from their support team :) , and a mention in their Security Hall of Fame.

Here is the link to hackerone report , which now handles thier Bug Bounties.