Unprotected VOIP Server Exposed Millions of SMS Messages, Call Logs

By: Mohit Kumar

 

A California-based Voice-Over-IP (VoIP) services provider VOIPO has accidentally left tens of gigabytes of its customer data, containing millions of call logs, SMS/MMS messages, and plaintext internal system credentials, publicly accessible to anyone without authentication.

VOIPo is one of a leading providers of Voice-Over-IP (VoIP) services in the United States offering reseller VoIP, Cloud VoIP, and VoIP services to residentials and small businesses.

Justin Paine, the head of Trust & Safety at CloudFlare, discovered an open ElasticSearch database last week using the Shodan search engine and notified the VOIPO’s CTO, who then promptly secured the database that contains at least 4 years of data on its customers.

According to Paine, the database contained 6.7 million call logs dating back to July 2017, 6 million SMS/MMS logs dating back to December 2015, and 1 million logs containing API key for internal systems.

While the call logs included timestamp and duration of VOIPO customers’ VOIP calls and partial originating and destination phone numbers of those calls, the SMS and MMS logs even included the full content of messages.

Besides this, the unprotected database also stored 1 million logs containing references to internal hostnames, some of which also included plaintext usernames and passwords for those systems. These sensitive values were exposed since June 3, 2018.

More: https://thehackernews.com/2019/01/voip-service-database-hacking.html?fbclid=IwAR3MUyHbfv8Ck5QBrrxXi-Bci8vQiRZWGI8v1YxdPIjuQnZACpC4QEUfx-Y&&m=1

Database Misconfiguration Leaks 26 Million SMS Messages

By: Kacy Zurkus

A San Diego, California–based communications provider, Voxox, exposed a database containing at least 26 million text messages, including password reset links, two-factor authentication (2FA) codes and shipping notifications. The database was not password protected, which lead to the exposure of the personal information, phone numbers and 2FA codes in near real time.

“Unfortunately, these 26 million 2FA codes, password reset links and delivery tracking details leave the exposed individuals easy targets for threat actors engaged in account hijacking,” said Mark Weiner, CMO, Balbix“A basic misconfiguration like the one that caused this exposure should never occur; implementing a password is a simple but crucial first step in securing data.  The organization and its customers might still be secure if they had early visibility into vulnerabilities across their entire attack surface –including passwords – and been able to correct it shortly after launching the service.

“It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors. Security platforms developed with artificial intelligence and machine learning are essential to support security teams and proactively manage risk.”

The latest exposure raises questions about whether organizations have become too reliant on passwords and 2FA to verify user identities and whether user credentials can ever be fully secured.

“In this latest example, the use of a simple two-factor authentication method – a one-time passcode sent over SMS – could be easily intercepted in near time, eroding any possibility of establishing a level of trust,” said Keith Graham, chief technology officer of SecureAuth. “As organizations seek to prevent credential-based breaches, they must move beyond password and simple two-factor authentication methods, which are no longer enough to safeguard against today’s attacks.”

More: https://www.infosecurity-magazine.com/news