DEF-031 — OTP verification accepts any code — phone login and registration can be bypassed by anyone

Backend
Critical severity
Security
New
Defect DEF-031 — Severity: Critical · Status: New
Published

2026-06-17

DEF-031 — OTP verification accepts any code — phone login and registration can be bypassed by anyone

Summary

The POST /verify-phone-otp endpoint accepts any OTP value — including random codes, wrong codes, and the previously-known staging workaround 1111. A caller who knows a user’s registered email and phone number can authenticate as that user without ever receiving an SMS. OTP verification is completely non-functional on the server.

Environment

  • Platform: DriveLink Backend API
  • Server: https://project6.dxtserver.com/drivelink_new/public/api/v1
  • Area: Authentication / Security
  • Requirement(s): FR-01 (User Registration), FR-53 (Login — Phone OTP), NFR-08 (Authentication Security)
  • Date Reported: 2026-06-17
  • Testing Phase: Backend API Testing

Steps to Reproduce

  1. Obtain any registered user’s email and phone number.
  2. Send POST /verify-phone-otp with a completely wrong OTP code:
{
  "email": "target@example.com",
  "phone": "501234567",
  "dial_code": "971",
  "otp_code": "000000",
  "firebase_auth_token": "",
  "device_type": "android",
  "fcm_token": "any_value"
}
  1. Observe the response.

Expected Behaviour

The server rejects "000000" (or any code that was not issued) with status: "false" and an error message. Only the specific OTP sent to the user’s phone should be accepted, and only within its validity window.

Actual Behaviour

The server returns a successful login response regardless of the OTP value:

{
  "status": "1",
  "message": "Login successful",
  "oData": { "user_access_token": "...", ... }
}

Verified with the following codes — all accepted: | OTP code submitted | Result | |——————–|——–| | 1111 | ✅ Login successful | | 000000 | ✅ Login successful | | 999999 | ✅ Login successful |

Impact

Account takeover without credentials: Any attacker who knows a target’s email and phone number (both often publicly visible) can obtain a valid session token for that account without the user’s knowledge or consent.

Registration bypass: New accounts can be verified without ever receiving an SMS OTP, bypassing the phone verification step entirely.

Combined with session invalidation (NFR-19): Because a new login invalidates the previous token, an attacker using this bypass will silently log the legitimate user out of the app — the user loses their session with no warning or notification.

No rate limiting observed: The endpoint returned success immediately with no throttling, making automated attacks trivially fast.

Scope: All accounts on the server are affected. No specific knowledge of the target account is required beyond their email and phone number.

Severity

Critical (Security)

Status

New

Reported By

QA / Testing Team