A curious account takeover and one-time-password (OTP) bypass vulnerability has been identified. During the signup process, users receive an OTP sent to their email address. By altering the request to verify the OTP by changing the email from their own to the victim’s account, users can gain unauthorized access to the victim’s account.

This vulnerability arises from the unusual implementation of OTP verification. Instead of tying the OTP directly to the account, a verificationId is used to establish an OTP “session,” with the email address merely accompanying it. This added complexity inadvertently creates an opportunity for the vulnerability to emerge.