OTP Lockout State Leak Enables OLX Account Takeover

A technical write-up details an account takeover vulnerability in OLX caused by an OTP correctness leak during rate-limiting. After repeated invalid OTP attempts, the system displayed a lockout message, but valid codes during lockout removed the invalid-code signal while retaining the lockout message. This behavior allowed attackers to determine whether an OTP was correct. The issue was compounded by the reuse of the verification flow across account recovery paths and weak session revocation after password changes.