I wrote up an old OLX account takeover bug that started from a very small UI difference. After enough wrong OTP attempts, the page showed a “try again later” lockout message. That should have made every blocked submission look the same. But it didn’t. Wrong OTPs during lockout still kept the invalid-code signal. The correct OTP during lockout kept the lockout message but dropped the invalid-code signal. That turned the rate-limit state into a correctness oracle. The impact came from the combination: shared verification logic across account flows, enough OTP validity time for the leaked signal to matter, password-reset exposure, and no clean session revocation after password change. The useful lesson for bug bounty is simple: do not stop testing when a protection appears. Sometimes the protection is exactly where the application starts leaking the most important signal. submitted by /u/TheReedemer69 [link] [comments]