Voxox SMS database is leaked, exposing SMS authentication security issues

November 20, 2018

A security error caused a huge database to be compromised. The tens of millions of text messages in the database contained password reset links, two-factor authentication codes, and express notifications.

The problematic server belongs to Voxox (formerly Telcentris ), a communications company based in San Diego, California. The server is not password protected, and anyone who knows where to peek can see near real-time SMS traffic.

As for the safety researcher in Berlin, Sébastien Kaul, he did not take long to find it.

Although Kaul found this unobstructed server on Shodan (a search engine for publicly available devices and databases), Voxox's own second-level domain name also points to it. To make matters worse, this database running on Amazon Elasticsearch is also equipped with a Kibana front end that makes the data easy to read, browse, and retrieve by name, mobile number, and text message content.

When we receive a text message from a company, whether it's Amazon's express notification or the two-factor authentication code for the service, most people won't think about what's going on behind the scenes. Typically, application developers like HQ Trivia and Viber use technologies from companies such as Telesign and Nexmo , either to authenticate a user's mobile number or to send a two-factor authentication code. However, in which it acts as a gateway and is responsible for that code into a text message sent to the user's mobile phone over a cellular network but Voxox such companies.

After TechCrunch sent an inquiry, Voxox took the database offline. On shutdown, the database appears to have more than 26 million text messages since the beginning of the year. However, we can see the number of text messages processed per minute by the platform from the visual front end of the database, which indicates that the actual number may be higher.

Each record is carefully tagged and has detailed information, including the recipient's mobile number, the content of the message, the Voxox customer who sent the message, and the short code they used.

By a cursory review of the data, we found that:

We found that dating app Badoo sent a password to a mobile phone number in Los Angeles with a clear text message;

Several partners at Booking.com sent a six-digit two-factor authentication code via SMS for access to the company's outreach network;

Fidelity Investment Group also sent a six-digit security verification code to a number belonging to the Chicago Loop area;

Many text messages contain two-factor authentication codes for Google users in Latin America;

First Tech Federal Credit Union, a federal chartered credit union based in Mountain View, Calif., also sends a temporary bank password in plain text to a Nebraska mobile number in a text message;

We found a courier notification SMS sent by Amazon with a link that allows you to see the package logistics information, including the UPS waybill number and the location to the Florida destination.

The messaging application Kakao Talk and Viber and the Q&A application HQ Trivia use Voxox's services to verify the user's mobile number;

We also found a text message containing the Microsoft account password reset verification code and Huawei account verification code;

Yahoo also uses the service to send some account keys via SMS;

Some small and medium-sized hospitals and medical institutions send text messages to patients for appointment reminders, and in some cases also provide billing inquiries.

"Yes, it's very bad." Security researcher Dylan Katz said after reviewing some of the findings.

And regardless of the disclosure of personal information and mobile phone numbers, the ability to read the two-factor authentication code in near real-time may expose countless accounts to the risk of being hijacked. In some cases, the website only needs one mobile number to complete the account reset. Hackers get textual information through exposed databases, so hijacking an account can take only a few seconds.

"What I really worry about is the possibility that this has been abused," Katz said. "This is different from most leaks. Because the data is temporary, any data leaked out once the database is offline. It is not very useful."

Keox Hertz, co-founder and chief technology officer of Voxox, said in an email that the company "is currently investigating this matter and is operating in accordance with standard data breach policies," and the company is also " Assess impact."

Including Facebook, Twitter and Instagram, including many companies we have introduced two-factor authentication based applications to abandon SMS-based authentication , which has long been considered very easy to intercept.

If you want to give SMS authentication easy to intercept an example, then this leak is very suitable.

Author bio:

Chris Mcdonald is a research analyst at Area19Delagate.It is a part of popular technology blog Complete Connection. He has a very detailed knowledge about digital marketing and Technology field. Here we give opportunity to guest bloggers to write for us businesswrite for us digital marketing, social media and write for us technology. We also accept guest post on health, WordPress, how to, IT, Social Media and many more categories guest posts.