There’s bad news for those who rely upon SMS-based 2FA authentication.
A Berlin-based security researcher Sébastien Kaul has revealed that Voxox exposed a huge database containing tens of millions of text messages by storing it on an unprotected server.
The VOIP and Cloud communication for SMS and voice services provider firm, Voxox, has exposed sensitive data like 2FA codes, plaintext passwords, phone numbers, password reset codes, shipping notification, and verification codes to public access. Kaul was able to identify the unsecure server with the help of the IoT devices search engine Shodan.
TechCrunch’s Zack Whittaker also reported about the exposure of critical information of Voxox customers. According to Whittaker, the text message database identified by Kaul is easily accessible and offers an almost real-time view of the information that goes through the company’s SMS gateway.
The San Diego-based communications firm Voxox didn’t protect the server with a password, which is a grave security lapse as it lets anyone snoop on text messages.
The unsecure server was discovered by Kaul on Shodan but it was also linked to one of the subdomains owned by Voxox and the database was running on Amazon Elasticsearch. It was configured with a Kibana front-end, which makes the data easily searchable, readable, and browsable.
The database is now taken offline by Voxox, but, only after TechCrunch published the inquiry report. Before its closure, there were more than 26 million text messages stored in the database. However, it seems quite likely that the figure may be higher given the high volume of the messages processed by Voxox every minute.
It is worth noting that every single record was tagged and detailed accurately since it included the contact number of the recipient, the Voxox customer who sent the message, and the content of the message. It also included the shortcode that the message used.
In an email, Voxox’s co-founder and chief tech officer Kevin Hertz claimed that the company was keenly looking into the issue and is following the “standard data breach policy at the moment…. [for] evaluating impact.”
Nonetheless, the data exposure once again highlights the convenience with which an attacker could have launched a targeted operation and accessed such huge treasure trove of sensitive data. Naturally, the attacker could have abused it to no end, such as compromising the 2FA systems completely, that too, without raising alarms.