Phone Number Verification Bypass in Twitter

Steps to Reproduction : 

1- Using twitter.com when we sign Up and go to following URL https://twitter.com/settings/add_phone for Activating our phone no.

2- Now Add your Phone no here. and it Send us a Twitter Confirmation Code.

3- now we add the verification code, which we got on our phone, so it’s Activate our Account.
But In This Scenario there were no limit were  set for Verify the Verification Code, so it was easy to add a Fake/False Phone no, then twitter will send confirmation code on fake/false phone no. then the Attacker can Launch a brute force Attack on Confirmation Code Field Using own JavaScript or any other 3rd Party Tool. As We Know that is 6 Digit Confirmation Code so only 1000000 Combinations are possible for 6 digit code. and after Several Attempts The code would be the Perfect one and it will Activate Account using a Fake/False no.and with this.. there was a one more vulnerability was there That.. Twitter Send user a Same Confirmation Code Every time there were no any changes even after several of attempts. so When After Sometime user Change is Phone no. even Though he/she can use Old Confirmation Code to Activate his Account even if the no is Allotted to someone else.

I’m Submitting the snapshot here as the Proof of Concept..