My First Bug Bounty From Bug Bounty Platform redstorm.io

Hi, how are you? i hope you are doing great, this is my first bug bounty from bug bounty platform on redstorm.io

My bug bounty was bypassing OTP Verification SMS, but before we started i will explain what is redstorm.io and OTP

Bug Bounty Platform Redstorm.io

RedStorm is a concierge-based solution model that is designed to be as flexible with your SDLC, for the sake of providing the awareness in dealing with security threats without the need for you to be bogged down with high security maintenance costs.

What is OTP?

A one-time password (OTP), also known as one-time PIN or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device.

At that day i was reading around on redstorm.io, and i noticed Indodax Bug Bounty Program, so i tried to find some bugs on there, at the first i’m trying to find a host header injection but i got no luck at all.

Don’t Give Up!

I try to register a new account, and i was asked to enter the phone number when registering the account, so i input a random phone number and finished register account.

After that i verify my email and i asked to verify my phone number, then crossed my mind to bypass the sms verification, so i fired up my Burpsuite - capture the request send it to repeater and here’s what i got

csrf_token=[TOKEN]&pin=

Then i try to input 6 random number and BOOM! here’s the response from my Burp

csrf_token=[TOKEN]&pin=123456

{“success”:”Terima kasih, verifikasi telah berhasil!”}

Happy xD

I immediately report it to their bug bounty program.

Time Line :

  • 8 September - Initial Report
  • 9 September - New Update
  • 10 September - Valid Bug
  • 17 September - Rewarded

Thanks for reading my story, i hope you enjoy it. Happy hacking !

Please support me :

https://paypal.me/novanazizramadhan

Cyber Security Analyst, Penetration Tester, Information Security, Bug Hunter ✉️ naramadhan77@gmail.com