Last month I reported a security issue to Badoo concerning a method that allows to bypass the mobile number verification when an user login from a different IP.
When you login from a different IP Badoo will ask you to digit the 4 missing numbers from your mobile number so I decided to test if there was rate limit. Guess what? There wasn’t. I tried every possibility using Burp Suite from 0000 to 9999.
This flaw allows me to bypass mobile number confirmation to login in user account using different IP address.
In my opinion, Badoo solved this issue really fast and all the experience was great.
Reported: Oct 8th
Solved by Badoo: Oct 11th
Bounty awarded: 140$
Public Disclosure: Nov 3rd