“We argue that these attacks can be easily tested, verified, and executed at scale,” wrote the researchers from the universities of New Mexico, Arizona, Louisiana, and Circle. “The threat model can be accomplished using consumer-grade hardware and only basic to intermediate web security knowledge.”
SMS messages are sent unencrypted. In recent years, researchers have unearthed public databases of previously sent texts containing authentication links and private data, including people's names and addresses. One such discovery, from 2019, involved millions of stored text messages sent and received over the years between one company and its customers. It included usernames and passwords, university funding applications and marketing messages with discount codes and job alerts.
Despite the known uncertainty, the practice continues to flourish. For ethical reasons, the researchers behind the study were unable to capture its true extent as it required bypassing access controls, however weak they were. As a lens that offered only a limited view of the process, the researchers looked at public SMS gateways. These are typically advertising-based websites that allow people to use a temporary number to receive text messages without revealing their phone number. Examples of such gateways can be found here and here.
With such limited visibility into authentication messages sent via SMS, researchers were unable to measure the true extent of the practice and the security and privacy risks it posed. Still, their findings were remarkable.
The researchers collected 322,949,000 unique SMS-delivered URLs from more than 33 million text messages sent to more than 30,000 phone numbers. The researchers found numerous evidence of security and privacy threats to the people who received them. Of those, the researchers said, messages originating from 701 endpoints sent on behalf of the 177 services revealed “critical personally identifiable information.” The root cause of the exposure was weak authentication based on tokenized links for verification. Anyone with the link can then obtain users' personal information through these services, including social security numbers, dates of birth, bank account numbers and credit scores.
