I wrote up an old OLX account takeover bug where the interesting part was not that OTPs existed. It was that the lockout state still leaked whether the submitted OTP was correct. The flow looked blocked from the outside: wrong code → invalid code too many wrong codes → try again later correct code during lockout → try again later, but the invalid-code signal disappeared That meant the rate limit was not neutral. It was still answering the only question that mattered. Because the same verification behavior appeared across account flows like signup, login verification, password reset, and account recovery, the bug could become full account takeover instead of just a weird OTP-screen issue. The persistence part made it worse: changing the password did not reliably kill the attacker’s existing session. submitted by /u/TheReedemer69 [link] [comments]