Database Blunder Left Two-Step Codes, Account Reset Links Exposed
A database security blunder revealed on Friday serves as a reminder that the days of SMS-based authentication should be over.
The database, which wasn’t protected by a password, contained 26 million text messages, some of which were two-step verification codes and password reset links, TechCrunchreports. When it was found, the database was still recording texts in near real-time, offering a huge resource for potential attackers.
The database ran on Amazon’s Elasticsearch and used Kibana, a visualization and querying tool that made it possible to search through the mass of data for text strings and phone numbers, TechCrunch reports.
A security researcher, Sébastien Kaul of Berlin, discovered the database using the Shodansearch engine, according to TechCrunch. The database belonged to Voxox, a San Diego-based company formerly known as Telecentris, which specializes in VOIP, bulk SMS and other cloud-based telecommunication services.
Voxox offers a service to help organizations deliver SMSes using the Short Message Peer-to-Peer – SMPP – protocol or a web service API. Voxox processes whatever message an organization wants to send along and then passes it to mobile networks.
That makes the company a key part of security chain. Techcrunch reports that a hunt through the databases shows it held codes and messages transmitted by a host of big companies, including Microsoft, Yahoo, Fidelity Investments, Badoo and more.
After Techcrunch notified Voxox, the database was taken offline. Efforts by Information Security Media Group to reach Voxox officials weren’t immediately successful.
The risk posed by sending anything via SMS is well known and has been repeatedly flagged. In July 2016, the National Institute of Standards and Technology advised that SMS should be deprecated.