OTP lockout state leaked valid-code signal, enabling OLX account takeover
Source: Reddit
Published:
<p>I published a technical write-up on an old OLX account takeover issue. The core bug was an OTP correctness leak inside the rate-limit state. After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent. Invalid code