Only the phone number parameter was being validated. So an attacker could maliciously modify the country code. That may not sound too damaging but the SMS provider supported having multiple phone numbers separated by a ,. So by sending a country_isd as the attackers number and a , the validated phone number will be appended and the OTP will be sent to both locations.