The recent news of hackers using OTP APIs for SMS bombing and 44 Indian APIs being exposed is a matter of concern for everyone. According to a report, hackers have developed automated software programs that exploit OTP verification APIs to flood mobile devices with excessive OTP SMS messages. These rogue scripts have the potential to cause targeted outages of telecommunications services, causing financial and reputational harm to the brands affected. The situation raises concerns about the possibility of “multi-factor authentication (MFA) fatigue” or “exhaustion” attacks in account takeover scenarios.
The researchers have uncovered multiple GitHub repositories containing references to global companies and their APIs. These APIs allow unlimited OTP SMS messages to be sent to any number, lacking rate limiting or captcha protection. This vulnerability has led to the abuse of these APIs by automated tools, resulting in increased API costs, legal repercussions, and reputational damage to affected brands.
It is important to note that bombarding phones with SMS messages, even after activating DND (Do Not Disturb) services, constitutes harassment and nuisance under IPC Section 268, and further qualifies as theft, cheating, and dishonest inducement of property delivery under IPC Sections 378 & 420.