DEV Community

Discussion on: OTP verification without any Database

Collapse
 
ianmacartney profile image
Ian Macartney

Building on what's already been said, you are providing the expiry and the target hash, and they already know the phone. So an attacker can (on their own computer) generate the SHA256 for all of ${phone}.${0-999999}.${expires} and see which one matches, and then make a single request with the correct code. If you salted the hash it would make it harder to brute force, but as it stands this seems very very insecure, unless I'm missing something.

Collapse
 
ianmacartney profile image
Ian Macartney

I wrote some python and generated all hashes in under a second locally:

from hashlib import sha256
phone="+18001234567"
expiry= challenge.split(".")[1]
start = time.time();
for i in range(999999):
    sha256(f"{phone}{i:06d}{expiry}".encode('utf-8'))
print(time.time() - start)
> 0.3987562656402588
Enter fullscreen mode Exit fullscreen mode