Voxox’s Unprotected Server Exposes Over 26 Million Text Messages

Security researchers have found an unprotected database containing tens of millions of text messages,  security codes, password reset links, two-factor codes, and shipping notifications.

The exposed server belongs to a California-based communications firm, Voxox. It was not difficult to find the server as it was not protected with a password, and was searchable for both names and telephone numbers, TechCrunch reported.

The security flaw was first noticed by a Berlin-based security researcher Sebastian Kaul. He found the database on a search engine, Shodan, that is used to search publicly available devices and databases.

Voxox act as a gateway between app developers and customers’ phones.  It converts shortcode into text messages and delivers it to the users’ phones.

The exploited database of Voxox has the text messages sent to users from companies like Google, Amazon, and Microsoft.

The firm pulled the database offline after being inquired by the TechCrunch researcher.

 Other findings from a cursory review of the data by the TechCrunch research team includes:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

Leave a Reply