Saturday , January 22 2022

2-factor authentication: Vovox SMS data release to the network in real time


The 2 factor validation promises a high level of security, but if the system is implemented via SMS, security experts will report some concerns. Now a case of US shows how vendor negligence threatens the protection of millions of consumers. SMS Verification had real-time landed in the network.

Open server with lots of explosive content

The US Vovox company claims that it deals with communications services for corporate customers and also offers SMS delivery to over 180 countries. As Techchrunch reports now, it was exactly about this SMS service that it found an ugly discovery about. The Berlin security researcher found that an unassigned server was on the net, where the provider's complete SMS database was stored.
Infographic: verify two waysTwo-way verification

According to the report, there were around 26 million text messages found on the server that is accessible to all. Thanks to the integration of Kibana ahead and Elastic Elasticsearch search, it was very easy to search the name and telephone number as well as the content of the submitted data. As can be seen in a first review of the list, it contains a very explosive.

So, under the news, clear text passwords could be found, the Chinese dating service Badoo has been sent to a customer. In addition, there are no codes that have been sent to validate two factors, ranging from Google accounts to corporate networks.

Bronze in real time

Especially explosive: As Techcrunch noted, the data was given to the public database almost in real time, allowing attackers to read the content at the same time or even in front of the user – for example use a verification code for their own purposes,

Heise received confirmation from Vovox on request confirming the event: "The vulnerability would allow unacceptable people to access text messages sent by our network or network," he said. the statement. After becoming known, there was the "stuffed stuff" within minutes. An investigation did not disclose any compromise by a third party.

Security, password, verification
Security, password, verification

Source link