“We argue that these attacks are straightforward to check, confirm, and execute at scale,” the researchers, from the colleges of Recent Mexico, Arizona, Louisiana, and the firm Circle, wrote. “The threat model will be realized using consumer-grade hardware and only basic to intermediate Web security knowledge.”
SMS messages are sent unencrypted. In past years, researchers have unearthed public databases of previously sent texts that contained authentication links and personal details, including people’s names and addresses. One such discovery, from 2019, included thousands and thousands of stored sent and received text messages over time between a single business and its customers. It included usernames and passwords, university finance applications, and marketing messages with discount codes and job alerts.
Despite the known insecurity, the practice continues to flourish. For ethical reasons, the researchers behind the study had no method to capture its true scale, because it could require bypassing access controls, nevertheless weak they were. As a lens offering only a limited view into the method, the researchers viewed public SMS gateways. These are typically ad-based web sites that allow people use a brief number to receive texts without revealing their phone number. Examples of such gateways are here and here.
With such a limited view of SMS-sent authentication messages, the researchers were unable to measure the true scope of the practice and the safety and privacy risks it posed. Still, their findings were notable.
The researchers collected 332,000 unique SMS-delivered URLs extracted from 33 million texts, sent to greater than 30,000 phone numbers. The researchers found quite a few evidence of security and privacy threats to the people receiving them. Of those, the researchers said, messages originating from 701 endpoints sent on behalf of the 177 services exposed “critical personally identifiable information.” The foundation reason behind the exposure was weak authentication based on tokenized links for verification. Anyone with the link could then obtain users’ personal information—including social security numbers, dates of birth, checking account numbers, and credit scores—from these services.
