Recently, I got the request to pentest the application from two companies. For security purpose, I hide their identity, so, I called them with the name as X and Y. During the penetration test, I discovered the bug that led to Account Takeover (ATO), I found that the bug was simple, not superior. The more important was that I wanted to share the things what I have done. Somebody says “Sharing is Caring”.