Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes (techcrunch.com)

Posted by msmash on from the security-woes dept.

A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

37 comments

  1. Hooray for idiot millennials by Anonymous Coward · · Score: 0

    Morons are so used to posting every detail about their mundane lives to the internet, they wonâ(TM)t think about security at all.

  2. Damn you all by Anonymous Coward · · Score: 0

    Now I have to find a new place to find my txt-pr0n

    Damn you all to hell !

  3. Old retards blame younger retards, news at 11 by Anonymous Coward · · Score: 0

    Put down the iphone, old retard. This isn't about millenials, you've gone full senile.

  4. Hostile by Anonymous Coward · · Score: 0

    Is it just my imagination or has Slashdot become more hostile, juvenile and "4chan"ish in the last week or so?

    1. Re: Hostile by Anonymous Coward · · Score: 1

      Yep, just your imagination.

      Bitch.

    2. Re:Hostile by Immerman · · Score: 1

      I've had that impression as well. Perhaps the recent election results have stirred up the trolls?

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    3. Re:Hostile by CaptainDork · · Score: 1

      It's not the last week or so.

      The Troll Index (Troll/Relevant) fluctuated around a mean average for years.

      Even after Trump was elected, the trend was steady-state.

      Then, as the administration started pissing off its base, especially with the trade wars, anti-Trump spammers became more active.

      Though the Troll Index on /. remained nominally flat during the Obama administration, those who voted him in were disappointed more than once, and that level of dissatisfaction floated up gently til the end of that administration, but not to the point that /. was affected very much.

      Trolls are the cow patties of a pleasant meadow where great minds come to mingle.

      The patties, of late, are just taller.

      --
      It little behooves the best of us to comment on the rest of us.
    4. Re:Hostile by Anonymous Coward · · Score: 0


      Is it just my imagination or has Slashdot become more hostile, juvenile and "4chan"ish in the last week or so?

      Slashdot has been like this for at least 4-5 years now. It sort of turned into a cesspool when CmdrTaco left.

    5. Re:Hostile by novakyu · · Score: 1

      I blame the ACs.

    6. Re:Hostile by Anonymous Coward · · Score: 0

      "great minds come to mingle"

      LOL!!!!! now i know you're sarcastic

    7. Re:Hostile by CaptainDork · · Score: 1

      Well, to be clear, I was not referring to you.

      --
      It little behooves the best of us to comment on the rest of us.
  5. Dear Slashdot Users by Anonymous Coward · · Score: 0

    Dear Slashdot users,

    can someone direct me to any websites or resources that discuss stories/vulnerabilities like this one in a more in-depth/technical manner?
    Thank you.

    - Anonymous Coward

    1. Re:Dear Slashdot Users by noodlesup · · Score: 2

      Brian Krebs' blog is always a good read https://krebsonsecurity.com/

    2. Re:Dear Slashdot Users by BlackOverflow · · Score: 0

      Here you go: https://duckduckgo.com/?q=computer+security+vulnerabilities&t=h_&ia=web

    3. Re:Dear Slashdot Users by Anonymous Coward · · Score: 0

      Thanks :>

  6. need better penalties by sakono · · Score: 0

    I think the penalty for having your security compromised should be really big. as in the fines start at 25% of the entire companies GDP and if something is as easy like this artical says then it's 50% of the companies GDP. That might make companies take security seriously which they don't now due to too small fines

    1. Re: need better penalties by Anonymous Coward · · Score: 0

      What kind of company has a GDP? Please try to not sound like a drooling retard before babbling out some half baked stupidity. Thanks!

    2. Re: need better penalties by sakono · · Score: 1

      Gross domestic profit? I mean we could go with full global profit of the company that works too. What the hell did you think I meant with GDP?

    3. Re: need better penalties by Anonymous Coward · · Score: 0

      Holy shit. You truly are pants on head retarded.

    4. Re: need better penalties by Nidi62 · · Score: 1

      What kind of company has a GDP?

      It's only a matter of time before you get Fiji Apple or Amazon Brazil. They'll have to do something with their endless pools of cash.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    5. Re: need better penalties by Anonymous Coward · · Score: 0

      Gross domestic profit? I mean we could go with full global profit of the company that works too. What the hell did you think I meant with GDP?

      If it is this GDP, then it is NOT being used for companies but rather countries. That's the point you are missing.

    6. Re: need better penalties by Anonymous Coward · · Score: 0

      Why not, we already have Fuji Apples.

  7. Do Republican faggots do anything besides lie now? by Anonymous Coward · · Score: 0

    Same as it ever was. https://www.foxnews.com/politics/republican-young-kim-loses-lead-in-california-house-race-accuses-opponent-gil-cisneros-of-harassing-vote-counters

  8. And? Who goes to prison? by gweihir · · Score: 2

    Nobody? Then this is obviously perfectly acceptable and even negligence this extremely gross is not anything to worry about.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: And? Who goes to prison? by Anonymous Coward · · Score: 0

      The person who found and reported it goes to prison. That is the rule.

    2. Re: And? Who goes to prison? by gweihir · · Score: 1

      Ah, the tried and true failure of "shooting the messenger". Yes, I can see that happening.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:And? Who goes to prison? by scamper_22 · · Score: 2

      That's really looking at the problem in retrospect. We have dealt with quality of infrastructure for a long time in the developed world.

      What you need are licensed people for such areas; especially things that are open to the public.

      You're not building a bridge without a proper license.
      You're not building a high rise without a proper license. ...

      Sure, you can do some stuff on your own with basic home repair or a shed.

      With licensing, then you have a case for negligence.

      Yes, I really do think you should need a license to put up a public website that holds personally data.

    4. Re:And? Who goes to prison? by gweihir · · Score: 1

      I tend to agree. While I do not like the idea of licencing, it seems we cannot get the incompetent morons to stop messing with stuff where it hurts other in any other way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. It's SMS for Pete's sake! by Anonymous Coward · · Score: 1

    How is a set of data intended for a protocol that is insecure by design being "leaky" or a security risk?

    Of course you're going to find reset links and 2fa codes there. Thats why those process are(or should be) time bound ...

    This is about as surprising as finding Jenny's number on the bathroom wall.

    1. Re:It's SMS for Pete's sake! by hoggoth · · Score: 1

      I fail to see why this breach is news at all. It's all reset codes that expired minutes after they were used. This isn't sensitive data.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    2. Re:It's SMS for Pete's sake! by Anonymous Coward · · Score: 0

      Because it was updated in real time; you could ask for a password reset on a targeted account, then immediately get the code that was sent to the users phone.

  10. BTTF is apparently real. by Anonymous Coward · · Score: 0

    It... wasn't... protected with... a password?

    JFC, Back To The Future is real except my bike is apparently the time machine because I must be in 1988.

    Because nobody in the fucking universe in 2018 could possibly be so fucktarded as to put a server responsible for important data on the Internet WITHOUT A PASSWORD.

  11. So what? by quenda · · Score: 1

    I get passwords and 2-factor codes all the time, but they are valid only for one top a few minutes.
    Who would be stupid enough to send long-term passwords by such an insecure medium as SMS? It is barely better than email.
    Maybe worse, as it is easier to hijack someones phone number than their domain or email address.

    If this leak has exposed them to public scrutiny, perhaps it is a good thing!

    Unless you are able to see the text messages in realtime, no harm done.

    1. Re:So what? by Anonymous Coward · · Score: 0

      Unless you are able to see the text messages in realtime,

      I know no-one even reads the *summary* anymore but:

      "allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages."

      Sigh.