A security researcher named Sébastien Kaul recently discovered a completely unprotected database on Vovox servers. This server was not even password protected, and that gave potential access to about 26 million SMS messages among which were two-step authentication codes.
The vulnerability shows that traditional short messages are a bad option when it comes to protecting our services with the always recommended 2FA layer (Two-Factor Authentication), and there are much more recommended proposals as the specific applications for this field.
Good for two-step authentication, bad for using SMS in this technology
The database was not only easily accessible – the researcher discovered it through the popular search engine Shodan – but the format used, Kibana, presents the data (names, dates, mobile numbers and message contents) in a way that made even easier to consult by possible attackers.
In the investigator’s report it was detected how many authentication codes of different services were sent in plain text so that they could be intercepted and pose a serious threat to take control of user accounts in all those services.
As the experts indicate that authentication codes have a reduced validity period which makes access to the database not very valuable if it was done recently. The problem is that someone had access to this database in the past and continuously , which could lead to these interceptions of accounts usually with sensitive content.
Using authentication systems in two steps is still a fantastic idea to add one more layer of security to our services and many allow it, but the use of SMS has long been discouraged .
Even NIST (National Institute of Standards and Technology) officially declared two years ago that short messages were no longer suitable for this type of scenario. Mobile applications such as Google Authenticator, Microsoft Authenticator or the popular Authy are safer alternatives , as revealed by the agency’s own report.