Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes (techcrunch.com) 37

A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.
This discussion has been archived. No new comments can be posted.

A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes

Comments Filter:
  • by gweihir ( 88907 ) on Friday November 16, 2018 @02:12PM (#57657044)

    Nobody? Then this is obviously perfectly acceptable and even negligence this extremely gross is not anything to worry about.

    • That's really looking at the problem in retrospect. We have dealt with quality of infrastructure for a long time in the developed world.

      What you need are licensed people for such areas; especially things that are open to the public.

      You're not building a bridge without a proper license.
      You're not building a high rise without a proper license. ...

      Sure, you can do some stuff on your own with basic home repair or a shed.

      With licensing, then you have a case for negligence.

      Yes, I really do think you should need a

      • by gweihir ( 88907 )

        I tend to agree. While I do not like the idea of licencing, it seems we cannot get the incompetent morons to stop messing with stuff where it hurts other in any other way.

  • by Anonymous Coward

    How is a set of data intended for a protocol that is insecure by design being "leaky" or a security risk?

    Of course you're going to find reset links and 2fa codes there. Thats why those process are(or should be) time bound ...

    This is about as surprising as finding Jenny's number on the bathroom wall.

    • by hoggoth ( 414195 )

      I fail to see why this breach is news at all. It's all reset codes that expired minutes after they were used. This isn't sensitive data.

  • I get passwords and 2-factor codes all the time, but they are valid only for one top a few minutes.
    Who would be stupid enough to send long-term passwords by such an insecure medium as SMS? It is barely better than email.
    Maybe worse, as it is easier to hijack someones phone number than their domain or email address.

    If this leak has exposed them to public scrutiny, perhaps it is a good thing!

    Unless you are able to see the text messages in realtime, no harm done.

Every program is a part of some other program, and rarely fits.

Working...