“We argue that these attacks are easier to test, verify, and implement at scale,” wrote researchers from the universities of New Mexico, Arizona, Louisiana, and Firm Circle. “The threat model can be realized using consumer-grade hardware and only basic to intermediate web security knowledge.”
SMS messages are sent unencrypted. Over the years, researchers have unearthed public databases of previously sent texts that contained authentication links and private details, including people’s names and addresses. One such discovery, from 2019, included millions of archived text messages sent and received over the years between a single business and its customers. This included usernames and passwords, university finance applications, and marketing messages with discount codes and job alerts.
Despite the known insecurities, the practice is thriving. For ethical reasons, the researchers behind the study had no way of capturing its true scale, as this would require bypassing access controls, no matter how weak they were. As a lens offering only a limited view into the process, the researchers looked at public SMS gateways. These are usually advertising-based websites that let people use a temporary number to receive messages without giving out their phone number. Examples of such gateways are here and here.
With such a limited view of SMS-sent authentication messages, researchers were unable to measure the true scope of the practice and the security and privacy risks it poses. Nevertheless, their findings were remarkable.
The researchers collected 322,949 unique SMS-delivered URLs extracted from more than 33 million texts sent to more than 30,000 phone numbers. Researchers found a lot of evidence of security and privacy risks for people who receive them. Of those, the researchers said, messages coming from 701 endpoints sent on behalf of 177 services exposed “significant personally identifiable information.” The root cause of the exposure was weak authentication based on tokenized links for verification. Anyone with the link can obtain users’ personal information from these services – including Social Security numbers, dates of birth, bank account numbers and credit scores.
<a href