Links

Phone Number Injections

It's possible to add strings at the end the phone number that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
OTP Bypass / Bruteforce would work like this:

References