OTP lockout state leaked valid-code signal, enabling OLX account takeover

I published a technical write-up on an old OLX account takeover issue. The core bug was an OTP correctness leak inside the rate-limit state. After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent. Invalid codes during lockout still produced the invalid-code signal. The valid code during lockout removed that signal while keeping the lockout message. That made the lockout state act as an oracle for whether the OTP was correct. The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change. The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information. submitted by /u/TheReedemer69 [link] [comments]Technical Information Security Content & DiscussionRead More