Popular Posts

Search This Blog

Bruteforce password recovery code| Bug Bounty Poc | Bumble.com rewarded $1,000 bounty.

Share it:

Bug Hunter Id: https://hackerone.com/uyga


It's possible to brute force recovery code from SMS as iOS application doesn't have limits for incorrect inputs. I have tried 50+ different combinations until I reached code from SMS.

Steps To Reproduce

  1. Click "Use another option" on application startup view
  2. Enter your phone number
  3. Click "Forgotten number"
  4. Click "OK" on pop-up window
  5. Bruteforce 4 digits code

PoC video


  1. Limit quantity of attempts to enter recovery code
  2. Don't store recovery code on target device to compare it with user's input


Devices: Iphone SE (13.2), Iphone 6s (12.4)
App: Bumble (5.140.0)


Account takeover.

Thank you✌✌✌

Share it: