Tokopedia Account Takeover Bug Worth 8 Million IDR

Image for post
Image for post

Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account:
1. Go to the
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter.

6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex. &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.

Video POC:


14-Oct-2018: Reported

15-Oct-2018: Received Response


Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”

17-Oct-2018: Fixed

17-Oct-2018: 8 Million IDR Rewarded

Image for post
Image for post
Bounty mail

6-Dec-2018: Received Bounty.

Twitter :

Few more account takeover writeups coming . Thank for reading. Bye

Written by

lone warrior

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store