###Summary
I found a OTP code bypass on the login endpoint, used by Grab Android App. Since no password was required upon login (only SMS code), it was actually account takeover (still, the victim will be informed that something is wrong because of few incoming SMSes with codes).
The team was very…