Skip to content
WHEN PRIVATE LINKS MAKE PUBLIC LEAKS

Millions of people imperiled through sign-in links sent by SMS

Even well-known services with millions of users are exposing sensitive data.

Dan Goodin | 70
Digital generated image of abstract smartphone stylized as mousetrap surrounded by multicoloured social message chat icons.
Story text

Websites that authenticate users through links and codes sent in text messages are imperiling the privacy of millions of people, leaving them vulnerable to scams, identity theft, and other crimes, recently published research has found.

The links are sent to people seeking a range of services, including those offering insurance quotes, job listings, and referrals for pet sitters and tutors. To eliminate the hassle of collecting usernames and passwords—and for users to create and enter them—many such services instead require users to provide a cell phone number when signing up for an account. The services then send authentication links or passcodes by SMS when the users want to log in.

Easy to execute at scale

A paper published last week has found more than 700 endpoints delivering such texts on behalf of more than 175 services that put user security and privacy at risk. One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL. By incrementing or randomly guessing the token—for instance, by first changing 123 to 124 or ABC to ABD and so on—the researchers were able to access accounts belonging to other users. From there, the researchers could view personal details, such as partially completed insurance applications.

In other cases, the researchers could have transacted sensitive business while masquerading as the other user. Other links used so few possible token combinations that they were easy to brute force. Other examples of shoddy practices were links that allowed attackers who gained unauthorized access to access or modify user data with no other authentication other than clicking on a link sent by SMS. Many of the links provide account access for years after they were sent, further raising the risk of unauthorized access.

“We argue that these attacks are straightforward to test, verify, and execute at scale,” the researchers, from the universities of New Mexico, Arizona, Louisiana, and the firm Circle, wrote. “The threat model can be realized using consumer-grade hardware and only basic to intermediate Web security knowledge.”

SMS messages are sent unencrypted. In past years, researchers have unearthed public databases of previously sent texts that contained authentication links and private details, including people’s names and addresses. One such discovery, from 2019, included millions of stored sent and received text messages over the years between a single business and its customers. It included usernames and passwords, university finance applications, and marketing messages with discount codes and job alerts.

Despite the known insecurity, the practice continues to flourish. For ethical reasons, the researchers behind the study had no way to capture its true scale, because it would require bypassing access controls, however weak they were. As a lens offering only a limited view into the process, the researchers viewed public SMS gateways. These are typically ad-based websites that let people use a temporary number to receive texts without revealing their phone number. Examples of such gateways are here and here.

With such a limited view of SMS-sent authentication messages, the researchers were unable to measure the true scope of the practice and the security and privacy risks it posed. Still, their findings were notable.

The researchers collected 322,949 unique SMS-delivered URLs extracted from over 33 million texts, sent to more than 30,000 phone numbers. The researchers found numerous evidence of security and privacy threats to the people receiving them. Of those, the researchers said, messages originating from 701 endpoints sent on behalf of the 177 services exposed “critical personally identifiable information.” The root cause of the exposure was weak authentication based on tokenized links for verification. Anyone with the link could then obtain users’ personal information—including Social Security numbers, dates of birth, bank account numbers, and credit scores—from these services.

Of the 701 services, 125 allowed “mass enumeration of valid URLs due to low entropy.” Attackers who had received links from the same service could then easily modify the tokens they had to access other people’s accounts.

Because of the limited view into the practice, these numbers likely significantly undercount the true number of services jeopardizing users’ security and privacy by sending such links.

The likely widespread sending of unsafe links in SMS messages means there are few concrete steps most people can take to protect themselves. Stepping back and assessing the weak authentication processes in general, Muhammad Danish, the lead author of the paper, wrote in an email:

The root causes we found are related to service providers and the burden is on them. We can say users should not give sensitive details to untrusted sources, but that suggestion fails in our case as our list includes even well-established service providers with millions of active users. Users can help us by reporting to the service providers or removing their data until fixed if they see any of these issues in a website.

Examples of the offending services can be found in the paper linked above.

The practice is popular because it imposes lower perceived friction on potential customers. Another benefit is that endpoints don’t have to collect and store usernames and passwords, which have proven over and over to be easily stolen by hackers. Another reason they’re used is the false assumption by the people setting up the service that such links will restrict all others than those who sent the text and endpoint misconfigurations or lack of security reviews of them.

Muhammad, like other security professionals, said authentication links sent by SMS or email aren’t automatically unsafe as long as links are short lived, expire after the first login, and have a cryptographically secure token. Privacy-minded sites, including DuckDuckGo and 404 Media, have opted to authenticate users with a “magic link” that’s sent to an account holder’s email address.

“By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure, 404 Media editors wrote. “The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).” Many people who object to the use of magic links fail to realize that many services that require a password already fall back to the equivalent of magic links for account recovery.

To be safe, magic links must be time-limited to lessen the chances of them being used by others. 404 Media says that links expire within 24 hours. DuckDuckGo’s authentication email system works differently. It sends a long one-time password. It’s unclear how long the passcode remains valid.

Magic links also aren’t suitable for sites like Gmail, Office365, or banks that store large amounts of user data and must rely on robust account recovery mechanisms.

Another way to strengthen the security of SMS- or email-based authentication is to require a second factor, in addition to the link sent, although a birthdate, zip code, or other low-entropy factor is insufficient. Further, login attempts must be rate-limited to prevent an attacker from making attempt after attempt until arriving at the right one.

For now, people should recognize that many of the SMS-delivered authentication links they receive may be exposing their sensitive data, and this practice isn’t likely to change soon. Of the 150 affected service providers the researchers were able to contact, only 18 responded and only seven have fixed the failure.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
70 Comments
Staff Picks
c
cs-maestro
Am I missing something here, or does the issue highlighted in the article have nothing to do with SMS and is basically just about poorly managed self-authenticating links?

Not saying SMS is a legitimate flow for second factors or anything related to security, but AFAICT, the article is not about SMS at all. It’s about insecure authentication links — regardless of how they are communicated (could be SMS, email, snail mail, or any other messaging service).

EDIT: checking the link to the paper, they do clearly call out SMS. But unless I’ve misunderstood the issue, links sent via email are equally at risk. It’s concerning to me that the paper could lead people to believe that moving these links to email would protect them in any way.
There are more risks associated with SMS than emails, and the SMS data was publicly and ethically available for research compared to a similar amount of email data. However, the issue highlighted is that these tokens are not short-lived, one-time use, or cryptographically secure.
I think the emphasis on SMS is that it’s easier to obtain the magic link via SMS than one sent to email, because in theory, email is better protected and more difficult to obtain. I think they got these messages for research off of poorly secured SMS gateway providers who send the links, if I’m understanding correctly.
The SMS gateways are only used as a lens into the overall SMS ecosystem as service providers send similar emails to real phone numbers that are used to register for these services.
c
cs-maestro
I think this is the part that matters. SMS, email, smoke signals, whatever - if you fail the short-lived/one-time/lack of entropy, you're dead in the water regardless of method.

Hell, that's something that should be required for session tokens like cookies too, and if you need them longer lived you silently renew them (that's what I do with my reverse proxy - sessions last as long as configured but default to 20 hours, but the session cookie is only valid for very limited time - while its valid, it can be renewed unless you've exceeded the session limit...)

Edit: I can understand the lack of "one-time" though - you can implement short-lived and plenty of entropy with stateless management (just encode it and sign it appropriately - that's what JWTs are for though you can use any method you like), but one-time requires keeping state to track its use, and depending on the volume that can be pretty ugly. If the short-lived is low and robust enough I'd have to think about the trade-off of true one-time.
Exactly! The paper mentions all links were not one time and at least 1 year old and some even from 2019. Also, the majority of services had lower than required entropy.

I'm a subscriber to that same list (Hi Ed Zitron, I'm a huge fan!), & I find it annoying that every time I go to his site, I have to do the dance of inputting my email address, then going to gmail to collect the link. His blog is good enough that I'm willing to do that, but I certainly count that as friction.
It doesn't make sense for a newsletter but the paper mentioned financial services among top 3 industries.

Jesus.. It's called a cryptographic nonce you idiot programmers. Generate a random one and store it in a table with an expiration date.
The paper not only mentions enumerable but also weak random characters. For example a 5 character alhpanumeric token for a service with large userbase like Everquote. That's why it got a hit even within 10 manual attempts of changing the token.
w
whobeme
One thing I run into fairly often are sites that refuse to send a 2FA SMS message to a VOIP address. This usually shows up when they ask for a "cell phone", but then reject a VOIP phone number. Most VOIP providers have a way to send/read SMS messages from a VOIP phone number via a web browser. I will admit that the SMS message is subject to attack on the VOIP provider's servers (also true on the servers of the sites with these policies), but in terms of remote access, that is over https, and should be as secure as the over the air encryption used by SMS to transmit to a user's phone. So I really don't understand why these sites discriminate against this type of SMS.
c
cs-maestro
That 64 bit length is probably a bit due for revision. Anything I write would scream blue murder if you set a key used for internal derivation to anything less than 128 bits. It'll accept it, but it'll scale it's internal use up with 256/384/512 bits (and unfortunately truncate at 512 bits, because it's deriving keys using SHA functions or similar)

Edit: I worded that wrong. It won't accept <128 bit, and at 128+ it scales up the longer the key.
I agree, but they don't even meet 64 bit entropy requirements. There are also cases where they have long strong tokens in the final redirected URL but the initial URL sent to user has been shortened with a short token which makes the final stronger URL useless. It's pretty dumb but it's still true in real world applications.
Prev story
Next story