In modern mobile apps, account verification via SMS and WhatsApp is standard practice. But what happens when a company skips the most basic check — whether an account even exists?

In a recent test, I discovered that one electric vehicle (EV) company left the door wide open for abuse in their mobile number verification system. Let’s break down what happened, why it’s dangerous, and how it could cost real money — and even lead to platform bans.

The target app, a mobile platform developed by a Southeast Asian electric vehicle startup, offers SMS and WhatsApp verification when a user wants to “log in” or “register.” Sounds normal, right? (Yeah very normal…)

But here’s the catch: the server would happily send a verification message to any number, even if that number was never registered.

All I needed was Burp Suite to intercept the request and change the user first register_before=true then give phone number. Even if I had never created an account with that number, the system responded as if I had — triggering a real SMS or WhatsApp verification message.

There was no backend check to confirm whether the account existed. (Yeeyy!)