Tuesday, April 1, 2025
HomeBug HuntingHow I Added Money Without OTP Verification
Bug Hunting

How I Added Money Without OTP Verification

Shubham Nagdive
By Shubham Nagdive
0
32
how-i-added-money-without-otp
Introduction: When a Bug Finds You

I wasn’t trying to be a hacker that day. I wasn’t running Burp Suite, intercepting requests, or testing for vulnerabilities. I was just a regular user, casually adding money to my wallet, when I noticed something strange: there was no OTP verification in online payments. You know that mandatory OTP verification every time you make an online transaction? That one-time password (OTP) sent to your phone that stands between your money and a scammer?

Yeah, it just didn’t happen. No OTP, just instant money transfer.

At first, I thought: “Wow, this app is smooth!” But then my inner hacker kicked in: “Wait a second… this isn’t normal.”

I thought, “Maybe it’s a one-time issue.” But being a curious guy, I tried again – same thing.

Proof of Concept: How easy it was

The entire exploit (if we can even call it that) was literally just:

  • Enter the amount and select the payment details
  • Enter the card details
  • Done! It transfers the money without asking for the OTP

No OTP. No verification. No questions asked. This was so simple it felt illegal.

Reference – CWE-306 (Missing Authentication for Critical Function)

Impact: The What-If Scenario

If an attacker exploited this, they could:

  • Add unlimited funds to their wallet without verifying transactions.
  • Abuse stolen card details (since no OTP validation means no second-layer security).
  • Automate the process and print money (well, sort of).
  • At this point, I imagined hackers using this bug. This bug was Jamtara’s dream come true.
jamtara-otp-bypass
Bug Bounty? More Like Bug Rejection.

Like a responsible hacker, I immediately reported the issue.

Did I get a bounty? Nope.

They didn’t think it was a “valid security issue.” Because, of course, who needs OTP verification for money transactions, right? So they mark it as Informative.

No-OTP-verification-in-online-payments
Conclusion

This bug was a perfect example of how the most ridiculous flaws can sometimes be the most dangerous. For bug hunters, it’s a reminder that critical vulnerabilities can be hiding in plain sight, waiting for someone to notice. As for me? Well, let’s just say that after getting zero bounty, I might have briefly considered whether I should’ve just kept using the bug instead of reporting it… (Just kidding… or am I? 🤔)

That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!

Previous article
WordPress Bug Bounty Guide
Shubham Nagdive
Shubham Nagdivehttps://www.pentestguy.in
Shubham Nagdive is founder of Pentestguy. Working as Penetration Tester, Infosec Speaker. He love to explorer more about Cyber Security and Ethical Hacking.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Load more

Recent Comments

ABOUT US

Place for cyber security, ethical hacking, and the latest trends in digital security. We’re here to help you understand and navigate the world of cyber security, making the internet a safer place for everyone.

Contact us: [email protected]

Resources

FOLLOW US

© Pentestguy 2025