![]() "What I really worry about is the possibility that this has been abused," Katz said. "Yes, it's very bad." Security researcher Dylan Katz said after reviewing some of the findings.Īnd regardless of the disclosure of personal information and mobile phone numbers, the ability to read the two-factor authentication code in near real-time may expose countless accounts to the risk of being hijacked. In some cases, the website only needs one mobile number to complete the account reset. Hackers get textual information through exposed databases, so hijacking an account can take only a few seconds. ![]() Some small and medium-sized hospitals and medical institutions send text messages to patients for appointment reminders, and in some cases also provide billing inquiries. Yahoo also uses the service to send some account keys via SMS We also found a text message containing the Microsoft account password reset verification code and Huawei account verification code ![]() The messaging application Kakao Talk and Viber and the Q&A application HQ Trivia use Voxox's services to verify the user's mobile number We found a courier notification SMS sent by Amazon with a link that allows you to see the package logistics information, including the UPS waybill number and the location to the Florida destination. Many text messages contain two-factor authentication codes for Google users in Latin America įirst Tech Federal Credit Union, a federal chartered credit union based in Mountain View, Calif., also sends a temporary bank password in plain text to a Nebraska mobile number in a text message Several partners at sent a six-digit two-factor authentication code via SMS for access to the company's outreach network įidelity Investment Group also sent a six-digit security verification code to a number belonging to the Chicago Loop area We found that dating app Badoo sent a password to a mobile phone number in Los Angeles with a clear text message When we receive a text message from a company, whether it's Amazon's express notification or the two-factor authentication code for the service, most people won't think about what's going on behind the scenes. Typically, application developers like HQ Trivia and Viber use technologies from companies such as Telesign and Nexmo , either to authenticate a user's mobile number or to send a two-factor authentication code. However, in which it acts as a gateway and is responsible for that code into a text message sent to the user's mobile phone over a cellular network but Voxox such companies.Īfter TechCrunch sent an inquiry, Voxox took the database offline. On shutdown, the database appears to have more than 26 million text messages since the beginning of the year. However, we can see the number of text messages processed per minute by the platform from the visual front end of the database, which indicates that the actual number may be higher.Įach record is carefully tagged and has detailed information, including the recipient's mobile number, the content of the message, the Voxox customer who sent the message, and the short code they used.īy a cursory review of the data, we found that: The problematic server belongs to Voxox (formerly Telcentris ), a communications company based in San Diego, California. The server is not password protected, and anyone who knows where to peek can see near real-time SMS traffic.Īs for the safety researcher in Berlin, Sébastien Kaul, he did not take long to find it.Īlthough Kaul found this unobstructed server on Shodan (a search engine for publicly available devices and databases), Voxox's own second-level domain name also points to it. To make matters worse, this database running on Amazon Elasticsearch is also equipped with a Kibana front end that makes the data easy to read, browse, and retrieve by name, mobile number, and text message content. The tens of millions of text messages in the database contained password reset links, two-factor authentication codes, and express notifications. A security error caused a huge database to be compromised.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |