Building on what's already been said, you are providing the expiry and the target hash, and they already know the phone. So an attacker can (on their own computer) generate the SHA256 for all of ${phone}.${0-999999}.${expires} and see which one matches, and then make a single request with the correct code. If you salted the hash it would make it harder to brute force, but as it stands this seems very very insecure, unless I'm missing something.
I wrote some python and generated all hashes in under a second locally:
from hashlib import sha256
phone="+18001234567"
expiry= challenge.split(".")[1]
start = time.time();
for i in range(999999):
sha256(f"{phone}{i:06d}{expiry}".encode('utf-8'))
print(time.time() - start)
> 0.3987562656402588
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Building on what's already been said, you are providing the expiry and the target hash, and they already know the phone. So an attacker can (on their own computer) generate the SHA256 for all of
${phone}.${0-999999}.${expires}
and see which one matches, and then make a single request with the correct code. If you salted the hash it would make it harder to brute force, but as it stands this seems very very insecure, unless I'm missing something.I wrote some python and generated all hashes in under a second locally: