Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Uber added a feature for sending an OTP pin via a voice call. For this flow to work, the I didn't receive a code button needs to be used.

Most OTP phone calls will not put the code into the voicemail. However, Uber did not have a protection for this in place. So, what's the issue with this? Apparently, voicemail boxes are not very secure!

Voicemail services, just like anything else, may have some security issues about it. The article references an exploit for accessing voicemail for a Telco in Australia. In general, the exploits work by exploiting callerid spoofing attacks when trying to access your mobile number.

The Uber OTP code being placed into the voicemail is not a vulnerability by itself. But, because voicemails are commonly hackable, this becomes an issue. Uber decided not to pass out for this issue because it requires a vulnerability in a separate product. To me, not writing the OTP code to voicemail is a good defense-in-depth measure.