SMS OTP Could be Sent to an Attack Through a Unvalidated Country Code ($2000 USD)
Original Post:
We discussed this vulnerability during Episode 89 on 11 October 2021
Only the phone number parameter was being validated. So an attacker could maliciously modify the country code. That may not sound too damaging but the SMS provider supported having multiple phone numbers separated by a ,
. So by sending a country_isd
as the attackers number and a ,
the validated phone number will be appended and the OTP will be sent to both locations.