Bypassing OTP: Unlocking Vulnerabilities & Securing Your App
1 min read
Summary
OTP (one-time password) is an additional layer of security provided by some websites and apps.
This could be in the form of an SMS code, Google Authenticator code or email confirmation.
The OTP is supposed to provide an extra step of protection on top of your username and password, but in some cases, it can be bypassed.
This can be achieved in two ways, brute-forcing or response manipulation.
These are both viable options when the system storing the OTPs has not implemented adequate response limitations or the OTPs are validated on the client side.
To prevent this, the following precautions should be taken: enforece strong rate limits, use server-side validation and return verbose and detailed responses.