OTP Disclosure in Server Response

I was surfing through an e-commerce website when I came across a significant security flaw in their OTP-based login system. Here’s how it went:

• The site offered an option to log in via OTP.

• After requesting the OTP, I opened the Network tab in Firefox to monitor the requests.

• I discovered a request named save_otp, and upon inspecting it, I noticed that the OTP was being disclosed in the response for the associated phone number.

• Using the exposed OTP, I was able to log in successfully and access the user's personal information.

🔐 Key Takeaway: This vulnerability underscores the importance of properly securing sensitive data like OTPs. Exposing such information can lead to account compromise and expose personal details.

💡 Recommendations for Fixing:

1. Never expose sensitive data like OTPs in network responses.

2. Implement strict server-side validation for all authentication steps.

3. Regularly conduct security audits to catch and resolve issues like this.

This discovery shows how easily security oversights can lead to major risks. I have responsibly disclosed this issue to the affected company and hope they resolve it soon.