Article 433W2 Database leak exposes millions of two-factor codes and reset links sent by SMS

Database leak exposes millions of two-factor codes and reset links sent by SMS

by
Dan Goodin
from Ars Technica - All content on (#433W2)
mtan-sms.jpg

Enlarge / 2FA via SMS happens worldwide, all. (credit: Raimond Spekking)

Millions of SMS text messages-many containing one-time passcodes, password reset links, and plaintext passwords-were exposed in an Internet-accessible database that could be read or monitored by anyone who knew where to look, TechCrunch has reported.

The discovery comes after years of rebukes from security practitioners that text messages are a woefully unsuitable medium for transmitting two-factor authentication (2FA) data. Despite those rebukes, SMS-based 2FA continues to be offered by banks such as Bank of America, cellular carriers such as T-Mobile, and a host of other businesses.

The leaky database belonged to Voxox, a service that claims to process billions of calls and text messages monthly. TechCrunch said that Berlin-based researcher Si(C)bastien Kaul used the Shodan search engine for publicly available devices and databases to find the messages. The database stored texts that were sent through a gateway Voxox provided to businesses that wanted an automated way to send data for password resets and other types of account management by SMS. The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people's accounts.

Read 5 remaining paragraphs | Comments

index?i=20hzYe2wrdY:HhEUHa2CrAA:V_sGLiPB index?i=20hzYe2wrdY:HhEUHa2CrAA:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments