Hackers use OTP APIs for SMS bombing, 44 Indian APIs exposed


New Delhi, Aug 28 (IANS): Hackers have developed automated software programmes that exploit OTP (One-Time Password) verification APIs (Application Programming Interface) to flood mobile devices with excessive OTP SMS messages, a new report said on Monday.

According to the cyber-security company CloudSEK, when these rogue scripts are released, they have the potential to cause targeted outages of telecommunications services, causing financial and reputational harm to the brands affected.

The situation raises concerns about the possibility of "multi-factor authentication (MFA) fatigue" or "exhaustion" attacks in account takeover scenarios.

The researchers have uncovered multiple GitHub repositories containing references to global companies and their APIs. These APIs allow unlimited OTP SMS messages to be sent to any number, lacking rate limiting or captcha protection.

This vulnerability has led to the abuse of these APIs by automated tools, resulting in increased API costs, legal repercussions, and reputational damage to affected brands.

"This attack could be used as a veil to hide illegitimate login attempts made by the threat actors to gain access to the users' device. This also implies that while the attack is going on the user may miss out on critical notifications," said Mudit Bansal, Cyber Threat Researcher, CloudSEK.

"Further, due to the constant request of OTPs a service might block your account and you might not be able to access it," he added.

Moreover, the number of exposed APIs according to the country includes -- India with 44 exposed APIs, Russia with 81 exposed APIs, and Indonesia with one exposed APIs.

The findings also underline the accessibility and financial aspects of these malicious services, which include -- numerous online tools that enable anyone to launch such campaigns effortlessly, the tools are available for free, as the primary cost burden falls on the brands owning the SMS-sending APIs, and a single OTP SMS could cost a brand up to 20 paisa.

Bombarding phones with SMS messages, even after activating DND (Do Not Disturb) services, constitutes harassment and nuisance under IPC Section 268, and further qualifies as theft, cheating, and dishonest inducement of property delivery under IPC Sections 378 & 420, the report mentioned.

 

  

Top Stories


Leave a Comment

Title: Hackers use OTP APIs for SMS bombing, 44 Indian APIs exposed



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.