Is revealing the phone number during OTP verification process considered a vulnerability?

Keep in mind that security of a phone number may be different with different mobile phone operators. You don't know how seriously some other unrelated to you organization takes security. This is especially so if your clients are residents of distant countries and you know very little about how operators work there. In my country it is possible to come to a mobile phone operators center and persuade folks into simply giving you the SIM-card of desired phone number. All you need to give them is fake passport copies and they may not bother checking them. So no need for some fancy 0-day vulnerabilities and hacking skills, just talk to some unrelated people. This happened a lot in the past and is a huge security problem. Some people lost access to their sites or domain names because of it and lost huge amounts of income. Hackers used phone number-based single-factor authentication to gain access to their accounts and steal them.

I would give you links to examples but they're in a different language and I don't want be accused of defamation.

Long story short: phone number protection is not good at all, at least when it's a single factor IMHO.

I am not an expert But when I have to change the password of my google accounts. They always tell me that the OTP has been sent to this specific number.

I have Different Mobile numbers. And I don't remember what phone number I used on a website. some old websites have sent the OTP to the phone number that I don't own now then that will be a problem if they didn't show what number they are sending the OTP to.

So I would recommend showing the number linked to the account they want to change their password of.

at last, I would say that there are thousands vulnerability But we do not take them to account because the probability of happening is minute and not worth the inconvenience caused by it

Well, the thing that all of us agree is that by showing the full phone number, the application is leaking sensitive information about the user. I don't know what regulation apply to your country however based on the GDPR European regulation phone number are considered as personal info an as such should be handled appropriately. This means that if the phone number is revealed to an other user the application/website is not GDPR compliant. Again I don't know what regulations apply in your specific case but I think it useful to have that in your mind when developing your application.

Now let's consider the scenario in which malicious user TRUDY has somehow landed in the OTP screen and a message appears A Otp was send to +30 0000000001 what can TRUDY do with that? I can think of 4 scenarios

1. sim swap As described by gowenfawr . This could have different lever of success depending the sim swap process that each carrier implements.
2. Social engineering. Sending messages as your company like Your_company.com Click on the link to insert otp/password and other phishing emails.
3. OSINT . Phone numbers are unique enough to help an attacker perform an open source investigation about the user in social media and other platforms which could be used in spear phishing emails or to answer security questions like From what country/state are you from. Of course this is not the most likely scenario and requires TRUDY to specifically invest time for this user.

To conclude as long as TRUDY can not use the phone number to gain further access in your system I would argue it not to be a vulnerability.

If the full number were listed then I could visit your account, request a new password, and know your phone number. The last two digits are a tradeoff that permit you to know its (likely) your number without giving away your phone number to anybody who wants to view it on the website.

The primary attack method against text message OTP is to 'sim swap' and take over the target's phone number. If the site provided the full number in this scenario, they'd be giving the attacker exactly the information they need to break the security being used.

(To lift up comments: In general, more personal information is needed, if you're going to social engineer telecom staff into swapping the SIM. In some places and under some carriers, it's even harder than that, requiring ID to be presented in person. But there are also cases where nothing more than the phone number is required, even with enhanced protections in place, if the telecom staff are colluding with the attackers.)

This is not about a "vulnerability". This is about personally identifiable information (PII). It's the same reason why credit cards numbers are not displayed in full on sites either.

Anyone passing by your screen, cameras recording, etc, would see the info. And it's not necessary to show the whole number. It's just there as a reminder to the user.