SMS Sign-In Links Put Millions at Risk
▼ Summary
– Websites using SMS links or codes for authentication are exposing millions to scams and identity theft by compromising user privacy and security.
– Many services, like those for insurance or job listings, use phone numbers and SMS authentication to avoid traditional passwords, creating a widespread vulnerability.
– Recent research identified over 700 vulnerable endpoints across more than 175 services, where easily guessed or enumerated links allow unauthorized account access.
– Attackers can access personal data, such as insurance applications, or conduct sensitive transactions by simply modifying predictable tokens in the authentication URLs.
– Poor security practices include links that require no further authentication, remain active for months, and have tokens with few combinations, making brute-force attacks easy.
The widespread use of SMS-based sign-in links for account authentication is creating significant security vulnerabilities for millions of users. This convenient method, designed to bypass traditional passwords, is now exposing people to heightened risks of fraud and identity theft across numerous online services. From insurance platforms to job boards and community referral sites, the reliance on texted links and codes is proving dangerously flawed.
A recent investigation uncovered more than 700 vulnerable endpoints used by over 175 different services. The core problem often lies in the structure of the authentication links themselves. Many services use security tokens within their URLs that are easily guessable or enumerable. This means a malicious actor can systematically alter a single character in the token, changing a number from 123 to 124, for example, and potentially gain access to a completely different user’s account. Researchers demonstrated this by accessing accounts and viewing sensitive personal information, such as partially filled insurance applications.
The consequences of these weak security practices are severe. In some instances, attackers could have conducted sensitive transactions while impersonating the legitimate account holder. Other links were found to use tokens with so few possible combinations that they could be brute-forced with minimal effort. Further compounding the risk, many of these SMS links require no additional authentication beyond the initial click, granting full account access to anyone who possesses the URL.
Perhaps most alarming is the longevity of these access tokens. Many authentication links remain active for days, weeks, or even months after being sent, creating a prolonged window for abuse if a text message is intercepted or accessed by someone other than the intended recipient. This design flaw turns a momentary convenience into a persistent security liability, leaving user data exposed long after the initial login attempt. The research underscores a critical need for services to move beyond these inherently insecure SMS-based methods and adopt more robust, time-bound authentication protocols to protect user privacy.
(Source: Ars Technica)
