Expected Findings
- OTP verification has no rate limit and accepts brute-forced codes.
- Magic links are valid for 7 days and can be used multiple times.
- Verification responses leak whether the account exists.
Passwordless Auth
Magic Link & OTP
The OTP and magic link flows have no rate limiting, the OTP is six digits, and links are reusable until they expire days later.
OTP probe
Primary Flows
- Request OTP No rate limit
- Verify OTP 6-digit code, brute-forceable
- Magic link Reusable, long-TTL
Signals
Generate
otp = fmt.Sprintf("%06d", rand.Intn(1_000_000)) // no lockout