The Leaf Guy 🍃👨‍💻

20K posts

The Leaf Guy 🍃👨‍💻 banner
The Leaf Guy 🍃👨‍💻

The Leaf Guy 🍃👨‍💻

@igbomalam

Software Developer 🍃👨‍💻

Federal Capital Territory, Nig Katılım Eylül 2021
1.6K Takip Edilen2.7K Takipçiler
Sabitlenmiş Tweet
The Leaf Guy 🍃👨‍💻
The Leaf Guy 🍃👨‍💻@igbomalam·
Excited to announce that DevI Software Solutions has been awarded the contract to build SendMe. SendMe is a delivery platform inspired by the bidding system used by inDrive but built specifically for logistics. I’ll be sharing daily progress updates as development continues.
English
1
1
2
415
The Leaf Guy 🍃👨‍💻
The Leaf Guy 🍃👨‍💻@igbomalam·
YOU CAN LOOSE A LOT OF MONEY THROUGH SMS INTEGRATION IF YOU DONT DO THIS I just integrated termii into SendMe and I can tell you for free that this can happen to anyone. Few days ago I integrated Termii into SendMe for OTP verification during authentication. Nothing fancy — just followed the documentation, standard integration, no big moves. Or so I thought. Fast forward to 2 days ago. I'm presenting progress to the team, everything is looking smooth, and then I noticed something unusual — the "Continue" button was slow to respond. So I clicked it again. Innocent enough, right? Wrong. Here's the context: I had built the button to change state on click — it switches to "Sending..." and once the request returns successfully, it navigates the user to the OTP screen. Clean flow. Except when I clicked twice, it fired two separate OTP requests to Termii. Two OTPs sent. Termii debited twice. Two messages hit my phone. Now here's where it gets worse — my clients were on the call and they didn't even notice the two OTPs come in. I entered the first one, and it had already expired because that's how OTP systems work: the moment a new OTP is generated, every previous one from that session is invalidated. So I'm sitting there on a live presentation with an expired OTP, a double charge, and a button that has no protection against being tapped twice. Omo, I quietly asked for permission, turned off my mic, and muted myself to gather my thoughts 😭. Jotted it all down immediately after the call. Then the very next day I saw that post — and it was like a reinforcement. A reminder that these things are not small. A double API call here, a missing debounce there — it's not just a bug, it's real money leaving someone's account every single time a user gets impatient and taps twice. The Fix: Independently, I disabled and blurred the button the moment it's clicked — so no matter how impatient you are, that button is completely dead on first tap. On top of that, I implemented proper rate limiting: 4 requests per IP address, 3 requests per phone number every 30 minutes. And then the final layer — device fingerprinting. Not your regular biometric fingerprint oo 😂, just a way of telling the system "this device has already made this request, it shouldn't be allowed to do it again." Three layers of protection for what started as zero just like he mentioned below. 🔒 Small mistakes can cost people a lot. Nobody is above it. We just hope and pray we never make the deadly one. 🙏
The Leaf Guy 🍃👨‍💻 tweet media
Smart👨‍💻 | Software Engineer@smartnakamoura

A Nigerian startup launched their app. Built a clean OTP flow. No rate limiting on the SMS endpoint. Shipped it. Within 48 hours, their Termii balance went from ₦150,000 to zero. They woke up to failed OTP delivery complaints from real users. Checked their logs. Someone had been hitting their /send-otp endpoint in a loop with thousands of requests sending SMS to sequential phone numbers that were not even their users. This is called SMS pumping fraud. Here is how it works: • Fraudsters find your open OTP endpoint • They send requests to thousands of phone numbers, sometimes numbers they control on premium routes • Every successful SMS costs you money • They get a cut from the carrier. You get the bill. It is automated. It runs while you sleep. The fixes that would have stopped it entirely: • Rate limit by IP: max 3 OTP requests per IP per hour • Rate limit by phone number: max 3 requests per number per 10 minutes • Add a minimum delay between requests • Implement CAPTCHA or device fingerprinting on the frontend • Alert yourself when SMS spend spikes above a threshold None of this is complicated. All of it takes less than a day to implement. That startup lost ₦150,000 in two days and had to shut down OTP entirely while they fixed it. Their users thought the app was broken. Some never came back. The breach was not dramatic. No hacker. No sophisticated attack. Just an open endpoint and a bot. Secure your OTP flow before you launch. Not after you've learned the hard way.

English
0
1
3
68
Ubi Franklin Ofem
Ubi Franklin Ofem@ubifranklin1·
lol person Dey doubt me? 😂 just so yall know. I turned 40 in February and I made a post that I will make 40 millionaires starting from April and this lady is the first one, I’ll be giving out 1 million each to different people as my spirit leads for the next few months. Stay alert on my instagram and here on x(twitter). Goodluck.
Michael Eteng@DEGR8MYKE

@mrkay996 I told you he'd do it.

English
615
161
1.1K
62.4K
The Leaf Guy 🍃👨‍💻
The Leaf Guy 🍃👨‍💻@igbomalam·
Imagine you want to kill the remaining citizens you claimed were being killed. This propaganda work eeh, no be for US/Isreal 🤣
Ridwan Oke@RidwanuLlah

I had folks on my timeline justifying that Iran should be leveled because they “killed 30,000 of their citizens”. Meanwhile, the US/Israel armed them all along and started the protests. Most of them have seen these tweets and they have seen what the US has done since this War started but they are yet to admit they were wrong.

English
0
0
1
65

Keşfet

@grok @ubifranklin1 @Ahmadsaeeeed06 @CENTCOM @elonmusk @BarackObama @taylorswift13 @cristiano