OTP Bombing

d0natel00.medium.com · d0natel00(KiroMoheb) · 3 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty
OTP Bombing | by d0natel00(KiroMoheb) - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original OTP Bombing How To Make People Unable To Use Their Phones or Emails d0natel00(KiroMoheb) Follow ~4 min read · April 3, 2026 (Updated: April 3, 2026) · Free: Yes Bad Hackers Have Gifts For YOU Hello Friend, Today I'm Going To Explain OTP Bombing and How Malicious Actors Exploit this and Make it as a Service ! ☠️ Warning: Performing OTP Bombing on any Person Email or Phone Number Even For Pranks is a Cybercrime in Most Countries Law What is OTP Bombing ? When a User Creates a New Account The App Want Him To Confirm That a Phone Number or an Email Belongs to Him OR an App Want You To Confirm on Some Sensitive Action It Sends You an OTP (One Time Password) → a Code Mostly From 4–6 Digits and Sometimes Mixed Chars+Digits. That is Good Intention Right ! . But, Hackers Exploited That and Sent A lot of OTPs To Someone's Email or Phone Number Via (SMS or Automated Phone Call) That Makes the Victim Unable To Use the Service . Imagine, That You as a Normal Person Using your Email and Phone and You Open Your Inbox Seeing A lot of OTP Messages Comming From a Lot of Emails and A Flood of Notifications Even Can Make your Device Glitch and Drain Your Battery . Severity on Hackerone and BugCrowd Hackerone → N/A | INFO LOW Real Example From a VDP Note: I Used https://temp-mail.org/ To Get a POC I Found, Signup page Without a Captcha So I Signed UP as a Normal User Fake-Email: [email protected] Signup Page Even the Phone Number, It Doesn't Check if It Belongs To You or Not ! Send OTP Simply, It Sends a POST Request to an API Endpoint /api/otp/otp_generate/ and It Responds With : OTP Sent I Sent It Again From the Terminal Without Specify any Cookie Headers or Something and Got the Same Response Without Any Restrictions Let's Get the POC With the Burp Intruder 100 POST Request I Configured the Intruder to Do 100 POST Request with NULL Payloads (Don't Do Anything Just Like a For Loop) 100 Tested Without Any Error We Got No Error All Sent, Let's See Our Inbox After this Only 100 Request This is a Flood of OTPs (Just 100 From One Source) What Real Maliciuos Actors Does, is Combining More Vulnerable APIs For OTP Bombing Like this One and Start Sending OTP Messages To Targets Emails and Phone Numbers . Signs of OTP Bombing : Lack of Secure Captcha (Not Bypassable Ones) Lack of Ratelimiting Lack of Small Time Lockouts (Like 1 Minute After a Successful Request) Why Malicious Actors Does That : They Make is as a Service. Someone, Pays To Harassment Someone and They Do . or Even for Making Companies That Own those Vulnerable APIs Lose Money Main 3 Reasons : Users Harassment Financial Loses To Companies Distraction (If they Did Something That a Victim Will Get Notified With a Message For Example They Send a Ton of OTP Messages to Make the User Unable To See What Happened Like a Password of a Social Media Account Changed or Something) I Hope You Took any Useful Information From this Writeup . Goodbye ! #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories