I found a two-factor authentication bypass on the endpoint, used by Grab Android App. The team was very responsible and fixed the issue fast. Thanks to the Grab team for the great experience and the bounty! I escalated similar issue to the **any user account takeover** by unauthenticated attacker …