The Everus.org Android application version 1.0.9 has a fundamental design flaw where the client can send a random phone number during the second factor flow with an arbitrary existing user id and the server send the attacker the one time password for the other user. Continue reading...