u said in video that wait until any victim user click our comment, but in your case you directly get many users like clicking on poll now in my case i won't how much time should i wait??
The basic flaw: it assumes the required code does not change. Use an authenticator tool, with 6-digits that change every 30-seconds, with a 3-mistakes-results in a 5-minute cooldown, and you will need a quantum computer to try to break that puppy.
That will not work for most sites, as 1 the 4 digit usually 6 digits code keeps changing, often one-time codes and time limited, 2 after several failed attempts the account is locked, 3 often a secure app is used, 4 the system alerts the account holder of a login from a new device. 5 behavior checks, to see if its a automated attack.
So basically this attack works on requsting a new otp from the server then trying that otp and hope that our combination of generated and payload otp somehow matches . Isn't this , really difficult and completely based on luck i mean yeah we can increase the speed by making our own code in nodejs or some other languages which are very very fast when it comes to webscraping but still the odds are very very high thay we will get the code i am not sure if any website will be willing to pay for this bug . Please correct me if am wrong 🙏
The time is right. When the OTP is six digits long, it will not prevent the final cut of the exam in case of selection due to a challenge. If the OTP is not released within 60 seconds, the OTP will expire.