I was trying to reset the password of any user. What's wrong with the verification code...
Take the account you just registered for testing...
When logging in, click forgot password to go to the password retrieval page...
Http://www.xd.com/security/forget_pass
Enter the user name. Next, you need to enter the user's mobile phone number, but because only four digits are hidden, there is no limit on the number of errors, you can capture packets to guess the real mobile phone number, such...
Because there are only four digits, the speed is still very fast, so it is easy to get the user's mobile phone number...
In fact, this is a small problem...
However, after all, the leakage of user privacy is... in case of exploitation by criminals... sending a winning scam message...
Or social engineering...
Solution:
It is better to limit the number of errors...