Tokopedia Account Takeover Bug Worth 8 Million IDR

Mukul Lohar
2 min readDec 24, 2018


Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account:
1. Go to the
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter.

6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex. &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.

Video POC:


14-Oct-2018: Reported

15-Oct-2018: Received Response


Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”

17-Oct-2018: Fixed

17-Oct-2018: 8 Million IDR Rewarded

Bounty mail

6-Dec-2018: Received Bounty.

Twitter :

Few more account takeover writeups coming . Thank for reading. Bye