A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes (techcrunch.com) 37
A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.
Re: Hostile (Score:1)
Yep, just your imagination.
Bitch.
Re: (Score:2)
I've had that impression as well. Perhaps the recent election results have stirred up the trolls?
Re: (Score:2)
It's not the last week or so.
The Troll Index (Troll/Relevant) fluctuated around a mean average for years.
Even after Trump was elected, the trend was steady-state.
Then, as the administration started pissing off its base, especially with the trade wars, anti-Trump spammers became more active.
Though the Troll Index on /. remained nominally flat during the Obama administration, those who voted him in were disappointed more than once, and that level of dissatisfaction floated up gently til the end of that admini
Re: (Score:2)
Well, to be clear, I was not referring to you.
Re: (Score:2)
I blame the ACs.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
What kind of company has a GDP?
It's only a matter of time before you get Fiji Apple or Amazon Brazil. They'll have to do something with their endless pools of cash.
And? Who goes to prison? (Score:3)
Nobody? Then this is obviously perfectly acceptable and even negligence this extremely gross is not anything to worry about.
Re: (Score:2)
Ah, the tried and true failure of "shooting the messenger". Yes, I can see that happening.
Re: (Score:3)
That's really looking at the problem in retrospect. We have dealt with quality of infrastructure for a long time in the developed world.
What you need are licensed people for such areas; especially things that are open to the public.
You're not building a bridge without a proper license. ...
You're not building a high rise without a proper license.
Sure, you can do some stuff on your own with basic home repair or a shed.
With licensing, then you have a case for negligence.
Yes, I really do think you should need a
Re: (Score:2)
I tend to agree. While I do not like the idea of licencing, it seems we cannot get the incompetent morons to stop messing with stuff where it hurts other in any other way.
It's SMS for Pete's sake! (Score:1)
How is a set of data intended for a protocol that is insecure by design being "leaky" or a security risk?
Of course you're going to find reset links and 2fa codes there. Thats why those process are(or should be) time bound ...
This is about as surprising as finding Jenny's number on the bathroom wall.
Re: (Score:2)
I fail to see why this breach is news at all. It's all reset codes that expired minutes after they were used. This isn't sensitive data.
So what? (Score:2)
I get passwords and 2-factor codes all the time, but they are valid only for one top a few minutes.
Who would be stupid enough to send long-term passwords by such an insecure medium as SMS? It is barely better than email.
Maybe worse, as it is easier to hijack someones phone number than their domain or email address.
If this leak has exposed them to public scrutiny, perhaps it is a good thing!
Unless you are able to see the text messages in realtime, no harm done.