First user register with 12345 number, he verified the number
Second user register with the same number 12345, he don’t need to verify his number anymore

I believe this is a bug

@ajwad
Osclass does not restrict that 1 phone number could not be used by several users, or in several accounts.

i understand that it does not restrict 1 phone number with 1 account, but verification still didn't send out, and it mark that account as verify without that person verifying it

@ajwad
Well, phone was verified already and that's job of the plugin.

That's right! This is a very serious problem! This bug can be exploited by attackers... And then the question arises, why do we need such verification at all, if anyone can register under someone else's number. This is a serious flaw - how can I fix it so that when I try to enter an already verified number again, a message appears that this phone number already exists in the database?

@ajwad
Osclass does not restrict that 1 phone number could not be used by several users, or in several accounts.

That's understandable.... But then the user must understand that it is necessary to specify a different number in the profile or during verification. Otherwise, you can use the site under someone else's name and the user will be responsible for the actions, who will not even know that someone used his phone number. This is a very serious flaw!

Hi,

Has this exploit been fixed, as I would like to buy the plugin?
This is a huge issue, as it basically invalidates the whole purpose of the SMS verification.

If a good user registers with the email [email protected] and verifies the phone 12345, then 100 bad users can register with different emails and the same number, and start posting spam ads, acting like they're already verified...
Also, if you choose to show a verified badge based on the phone number, then all spammers would get that badge.

To fix it, I think that a correlation needs to be made between the phone and the actual email of the user.
So if the number already exists in the registered users DB and it's also associated to an existing email, if a new email registers using the same number, then ask again for the validation. If the second validation is successful, then invalidate the first one.
This way, we can allow to have only 1 phone-email validated at the same time = bye bye spam/bad users!

You must make phone number unique, ie using phone number login.

@Frosticek
Oops, I tested a bit and indeed, this is a big one.

The problem with using the Phone Number Login Plugin is that in it's current form it's a bit unreliable and doesn't let you re-validate a number (maybe you want to create a different account and use the same phone number as you used in another account).

As the guy stated above, the validation should be performed by the SMS Notification and Verification, because this is the actual purpose of the plugin.
So a function should be added to check if the phone already exists in any of the user accounts (both fields: mobile and land) and if true, require a re-validation.

There's no need to get the email involved, just the phone number uniqueness check is enough.
But yeah, it's important to make sure that if User Account 1 is verified and User Account 2 re-validates the same number successfully, then User Account 1 should become unverified.
And if User Account 1 logs in and successfully re-validates the same number, then User Account 2 becomes unverified, and so on.
**The above applies to a user that tries to create multiple accounts with the same phone number.**

Basically it's a game of checking for duplicates, and if found, prompt for the validation check.
So if I post listings from my SMS verified account, and a hacker wants to steal my identity, he can't as he needs to enter the code that's sent to my number.

If you won't fix it, at least make a note on the product page, that for this plugin to work 90%, it also needs the Phone Number Login Plugin.
It's only 90% because the re-validation feature is missing, and in this case the Phone Number Login Plugin is just a band-aid so that your identity can't be stolen.

Thanks!

@Tango
Feature delivered in 1.6.1

@Frosticek
Thanks for the update!

However there's still a problem here, and that is the missing re-validation option in the user account and at register.

The whole idea is to prevent users from using the same phone number in multiple accounts.
This is beneficial in so many ways as it prevents a user from creating multiple accounts with the same number, leading to: fake-spammy accounts, fake reviews, fake orders in the eCommerce etc.

To fix this, we need the possibility to re-validate numbers in other accounts, like this:

If User Account 1 is verified and User Account 2 re-validates the same number successfully, then User Account 1 should become unverified.
And if User Account 1 logs in and successfully re-validates the same number, then User Account 2 becomes unverified, and so on.

This should happen in both cases: after register and when updating the user account.

Basically the plugin should do 2 main things:

• Check if the number already exists and it's verified by an account (both mobile and land fields)
• If 1 is TRUE, and a new account successfully re-validates it, then proceed and un-verify the first account

At the moment, v1.6.1 uniqueness check doesn't let you change the number anymore as it says it's already in use.

Bottom line is that re-validation of an existing account number in a new account = the existing account becomes unverified.

Also, there's this CSS issue in Bender:


Thanks!

@Tango
For css issue, add this to your style.css:
.sms-body, .sms-body * {box-sizing:border-box; -moz-box-sizing:border-box; -webkit-box-sizing:border-box;}
Point 2) is not doable: If 1 is TRUE, and a new account successfully re-validates it, then proceed and un-verify the first account
Because you cannot validate phone that yet does not exists on particular user account.

It would require extra tables to store phone number temporary and hold information who is previous owner, who is new owner, so once phone is verified, what accounts should be updated.

From my point of view it is much simpler to contact support to provide details why phone is used on that and that account. If it was not verified, admin can update old account and remove phone from there.