Millions of SMS text messages—many containing one-time passcodes, password reset links, and plaintext passwords—were exposed in an Internet-accessible database that could be read or monitored by anyone who knew where to look, TechCrunch has reported.
The discovery comes after years of rebukes from security practitioners that text messages are a woefully unsuitable medium for transmitting two-factor authentication (2FA) data. Despite those rebukes, SMS-based 2FA continues to be offered by banks such as Bank of America, cellular carriers such as T-Mobile, and a host of other businesses.
The leaky database belonged to Voxox, a service that claims to process billions of calls and text messages monthly. TechCrunch said that Berlin-based researcher Sébastien Kaul used the Shodan search engine for publicly available devices and databases to find the messages. The database stored texts that were sent through a gateway Voxox provided to businesses that wanted an automated way to send data for password resets and other types of account management by SMS. The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people’s accounts.
TechCrunch counted more than 26 million messages sent since the beginning of the year, but based on the volume of messages the publication saw passing through the platform per minute, the actual number may be higher. The database ran on Amazon’s Elasticsearch and was configured with a Kibana front-end to make the phone numbers, names, and other contents easy to browse and search. As TechCrunch reported:
- We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
- Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
- Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
- Many messages included two-factor verification codes for Google accounts in Latin America;
- A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
- We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
- Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
- We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
- Yahoo also used the service to send some account keys by text message;
- And, several small- to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.
Voxox locked down the database after TechCrunch privately reported it prior to publication. Voxox didn’t respond to a request by Ars for comment.
While the exposure raises serious questions about Voxox’s security practices, it also reflects poorly on the countless companies that continue to use SMS to transmit data for 2FA and account resets. Weaknesses in Signaling System No. 7, a telephony signaling language that telecommunications companies around the world use to ensure their networks interoperate, has already been abused by thieves to steal 2FA codes German banks sent to customers.
Crooks can also take over targets’ cellular numbers by masquerading as the rightful owners. Bank of America and T-Mobile didn’t provide comment for this post explaining why they continue to rely on SMS for account verification. And in fairness, they are by no means alone in making 2FA a medium for providing enhanced account security.
There are far more secure 2FA methods, including security key-based U2f or the Universal Authentication Framework standards from an industry consortium known as the FIDO alliance. Phone apps such as Duo Security or Google Authenticator aren’t perfect, but they still provide a much more secure way than 2fa as well.