SMS OTP Could be Sent to an Attack Through a Unvalidated Country Code ($2000 USD)

We discussed this vulnerability during Episode 89 on 11 October 2021

Only the phone number parameter was being validated. So an attacker could maliciously modify the country code. That may not sound too damaging but the SMS provider supported having multiple phone numbers separated by a ,. So by sending a country_isd as the attackers number and a , the validated phone number will be appended and the OTP will be sent to both locations.