How I broke through 6 digits of security — and landed face-first into a duplicate report.

It was one of those days.
My to-do list said: “Study for finals.”
But my brain said: “Poke around on this random login page instead.”

I obeyed the brain.

So I grabbed my hoodie, opened Burp Suite, cracked my knuckles, and set out on a journey that would make or break my ego.

It was a small web app on a private bug bounty program. I had signed up with my email, and sure enough, it sent me a 6-digit OTP like a good little website.

Your OTP is: 103928

Nothing suspicious. Nothing dramatic. Just six numbers.
But something inside me whispered: “Test it anyway, you curious little gremlin.”

So I did.

I intercepted the request with Burp. The payload looked like this:

{
  "email": "[email protected]",
  "otp": "103928"
}

Fine. Now what?

What if… I changed the OTP to something random?
What if… I deleted the OTP field entirely?
What if… I set "otp": null or just sent {}?

And THEN…
I sent this beauty:

{
  "email": "[email protected]",
  "otp": ""
}

🥁 Drumroll please…

Message: OTP verified successfully. Welcome, user.

Wait.

WHAT?!

I had just walked into an account with no OTP.
No brute force.
No rate limiting.
Just… a blank field.
I stared at the response like it had personally insulted my family.

✅No rate-limiting
✅ OTP field was optional
✅ Empty value = success
✅ This was literally an OTP bypass

The developer must’ve been like:

“If no OTP is present, just trust the user. They’re probably chill.”

I tested it again. It worked again.

My neighbors probably heard my victory yell.

Reason: “Already reported by another researcher.”

My soul left my body.

I sat there, rereading the message like it would magically change.

I had climbed the mountain, planted the flag, only to find someone else’s name already etched into the summit.