LotteryWheel
A telehealth scheduling portal with SMS code verification at sign-in. The lockout is firm but the firmness depends on what you bring with you to the next attempt.
The Scenario
Lateral Health launched in Brooklyn in 2023 and onboarded 100 clinicians in their first year. The operations team was proud enough of the onboarding process that they blogged about it in detail, including the specific shortcuts they took to move fast. The SMS-code step at login was added the same quarter; their brute-force protection was the first attempt they shipped, not the last.
Challenge Intel
Synopsis
The login flow rate-limits the SMS verification step. The limit counts attempts on something the attacker controls. Pair that with what the marketing blog overshares about onboarding and the code-space is a few minutes away.
What It Is
Lateral Health's portal asks clinicians for a three-digit SMS code after password sign-in. Wrong codes are tracked; too many in a row locks you out. The lockout's bookkeeping is honest about where it lives, which makes it bypassable. A separate find — a public blog post that overshares about the company's onboarding shortcuts — gives the player a foothold password for at least one founding clinician. From there it's measured patience against the verification step.
Who It's For
Testers ready to chain a small recon find into a brute-force, and to notice when a rate limit is enforced on something they control versus something the server controls.
Skills You'll Practice
- Mining marketing copy for operational defaults that didn't get rotated
- Mapping a clinician directory to login identifiers
- Identifying session-scoped rate-limit state
- Restarting state between brute-force attempts
What You'll Gain
- Confidence that a lockout you can reset isn't really a lockout
- Pattern recognition for marketing-overshare-as-credential leak
Ready to hack LotteryWheel?
Upgrade to Pro to unlock this challenge and the full library.