Guys, is it possible to catch OTP code sent from a website to phone through the browser just because of a lack of security practice and weak coded script?

If its time based (as it should be) it won't be sent anywhere. It's generated on the phone and verified by the website. Both are more or less just RNGs, seeded with the same value.

@nitwhiz let's say it is sent as an sms to the phone

If it's utterly horribly coded then sure

But normally no, since website wil simply ask the server to send Phone an OTP, n OTP is generated and sent from the backend, without website even knowing that somehthing got sent unless there was a success code n not fire-n-forget

@dIREsTRAITS

The problem with SMS is... That it's like sending a pigeon carrying a letter.

SMS has zero security. Like none. Nothing. Nada. Niente. Nullo.

You're sending a clear text password over an unencrypted, interceptable communication owned by multiple foreign parties (service providers, government, ...).

Ok after the shit I’ve seen I could totally see someone doing this. It would be some php developer who implemented otp via sms. An attacker could then log in as any user by requesting a otp for that user.

It would be better to send otp by email.

sms is ok for 2fa, only because it’s better than 1fa

@tedge may i introduce you to amazon?
They still do this in some cases afaik.

@nitwhiz I doubt it, no one worth their salt would do single factor authentication over sms. It’s only acceptable as a 2nd factor, usually after you entered a correct password, and often times because the device or ip was not recognized.

@tedge wait what, of course 2nd factor. I hope OP isn't talking of the 1st factor here? That would be complete bogus.

@nitwhiz lol yeah I think that’s a plausible scenario that op is talking about, but I could be wrong. I’ve definitely met some developers where I wouldn’t put it past them to do that shit.