Hi, author here! My bad if that was not clear. The endpoint was just a POST request where the body was the phone number, so that is all you needed to know to take over someone's account.
I think it could be a tad bit clearer. I understand what you are saying but this thread requires reading multiple messages, parsing out the wrong parts, and putting together the correct ones to fully understand.
Put very simply, they exposed an endpoint that took a phone number as input to send a OTP code. That's reasonable and many companies do this without issue. The problem is, instead of just sending the OTP code they _returned the code to the client_ as well.
There is never a good reason to do this, it defeats the entire purpose. The only reason you send a code to a phone is for the user to enter to prove they "own" that phone number.
It's like having a secure vault but leaving a post-it note with the combination stuck to it.
Glad you found it interesting, yeah I was experimenting with different names and obviously this one was the best. Not trying to self-promo as I am not like selling any product but just thought people would enjoy the article! Sorry if I violated any of the unwritten HN norms... but glad people are reading it now and having interesting discussions
Hi author here!
Not exactly sure what you are talking about — I think I found this vulnerability pretty close to when the app first went public but not sure why that makes it a scam
And I posted this blog because I think people will find it interesting!
Happy to answer any other questions when I get back to my computer :)
reply