Millions of people imperiled through sign-in links sent by SMS

Recent research has unveiled a significant security flaw in the way many online services authenticate users, putting the privacy of millions at risk. The study reveals that websites relying on SMS links and codes for user verification leave individuals vulnerable to scams, identity theft, and various other cybercrimes. These authentication links are commonly sent to users looking for a variety of services, from insurance quotes to job listings, and even referrals for pet care and tutoring. In an effort to simplify the login process—eliminating the need for usernames and passwords—many platforms request users' mobile phone numbers during account creation. Subsequently, they dispatch authentication links or passcodes via text messages whenever users attempt to log in. The alarming findings from a recent paper indicate that over 700 endpoints are responsible for sending these texts on behalf of more than 175 services, which compromise user security and privacy. A particularly concerning vulnerability lies in the use of easily guessable links. Researchers discovered that by merely modifying the security tokens found in the URLs, they could access accounts that did not belong to them. This method involved simply incrementing the token, which allowed them to view sensitive personal information, such as incomplete insurance applications. In some cases, these researchers were able to perform transactions as if they were the actual users. Additionally, many links employed a limited number of token combinations, making them susceptible to brute-force attacks. The study also highlighted instances where unauthorized users could access or alter account data without any other form of authentication, simply by clicking a link sent via SMS. Alarmingly, some of these links remained valid for days or even months, significantly increasing the risk of unauthorized access to user accounts.