Hello experts,
I’m facing a confusing issue and would really appreciate technical insights from experienced developers or security professionals.
In system, the OTP sending port/slot officially opens at exactly 2:00 PM. Before that time, the website does not show the “Send OTP” option.
However, we’ve observed that some developers or API users are able to receive OTP codes earlier, around 1:58–1:59 PM, even though:
The “Send OTP” button is not yet enabled on the website
The email address is already attached (they don’t need to re-enter email or SIM number)
Captcha (required for both SMS and email OTP) has not yet been completed
OTP is still delivered successfully to email and SMS
This raises several questions:
How is it technically possible to trigger OTP generation before the frontend enables it?
Could this be done by:
Directly calling backend or OTP API endpoints?
Reusing an existing session, token, or cookie?
Predicting or bypassing captcha validation?
Time synchronization differences between frontend and backend servers?
- Is this likely a security misconfiguration, such as:
OTP API not enforcing time-based or captcha checks
Missing server-side validation
Rate-limit or session validation flaws
- How can this technically be done, and can you share any APIs, request flows, or procedures that would allow triggering OTP generation before the frontend option appears and before captcha completion?
Any explanation of how this might happen, or guidance on the technical flow involved, would be extremely helpful.
Thanks in advance for your guidance.
Top comments (0)