Simple hack to bypass OTP issue

Question

Simple hack to bypass OTP issue

monishthummala opened this issue 3 years ago · comments

A simple hack:
Instead of using a protected API for generation of OTP, use the public API for generation. This removes the need to use a secret key. Surprisingly combination of public(generation)/protected(confirmation) seems to generate a usable token(can be used for booking as well. Tested with a random subject). I've used the existing APIs for the rest. This seems to have resolved the issue. It is consistent with the browser's behavior ( if it works there it'll work here)

axd123 · Answer 1 · Fri May 07 2021 21:26:22 GMT+0800 (China Standard Time)

That's interesting.

madhu2504 · Answer 2 · Fri May 07 2021 22:55:03 GMT+0800 (China Standard Time)

You might get the OTP but it will not be validated correctly in production env. Have you tried to complete the entire journey with that?

Shiv Kokroo · Answer 3 · Sat May 08 2021 01:31:17 GMT+0800 (China Standard Time)

A simple hack:
Instead of using a protected API for generation of OTP, use the public API for generation. This removes the need to use a secret key. Surprisingly combination of public(generation)/protected(confirmation) seems to generate a usable token(can be used for booking as well. Tested with a random subject). I've used the existing APIs for the rest. This seems to have resolved the issue. It is consistent with the browser's behavior ( if it works there it'll work here)

Any code samples?