Voxox Database Misconfiguration Exposes 26M SMS Messages

By   ISBuzz Team
Writer , Information Security Buzz | Nov 19, 2018 01:45 am PST

The news broke yesterday that Voxox, a San Diego, California-based communications provider, left a database containing at least 26 million text messages, including password reset links, 2FA codes, shipping notifications and more exposed without a password. The exposure to personal information, phone numbers and 2FA codes in near-real-time could have put countless accounts at risk of hijack. Some websites only require a phone number to reset an account to meaning that this process could take just seconds. IT security experts commented below.

Jacob Serpa, Product Marketing Manager at Bitglass:

isbuzz author male 1“It does not take much for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within cloud-tools like Amazon’s S3. Voxox’s misconfiguration left more than 26 million MFA codes, password reset links, and delivery tracking details out in the open, compromising the account security of millions.

Over the past year, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and consequently are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage; for example, cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA) and more. Only then can they be certain that their data is truly safe.”

Mark Weiner, CMO at Balbix:

Mark Weiner headshot“Unfortunately, these 26 million 2FA codes, password reset links and delivery tracking details leave the exposed individuals easy targets for threat actors engaged in account hijacking. A basic misconfiguration like the one that caused this exposure should never occur, implementing a password is a simple but crucial first step in securing data.  The organization and its customers might still be secure if they had early visibility into vulnerabilities across their entire attack surface — including passwords — and been able to correct it shortly after launching the service.

It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors—security platforms developed with artificial intelligence and machine learning are essential to support security teams, and proactively manage risk.”

Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.:

Michael Magrath“This egregious security lapse is significant.  The fact that one-time password (OTPs) codes were sent via SMS in clear text reinforces NIST’s decision to classify SMS-OTP as a restricted form of authentication in its 2017 revision of Special Publication 800-63-3 “Digital Identity Guidelines” Like passwords SMS OTPs are vulnerable to attacks and can be intercepted and reused.

“The fact that messages were sent in clear text with the ability to link one’s mobile phone number to a service provider opens the door to serious privacy infringements.  The only good news to come out of this for California-based, Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020.  The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”    The article cites that a password was sent in plaintext to a Los Angeles phone number by dating app Badoo, which would be in direct violation of the Act. Let’s hope the Badoo subscriber is not married.  If so, they may be no longer.

“For convenience, many people reuse the same password across multiple websites.  Intercepted passwords sent in plain text could open a user to account takeover at their bank, brokerage, and favorite e-commerce sites.   Even more reasons why websites should accept strong authentication for users to access and make transactions.  Technologies like Intelligent Adaptive Authentication — which analyzes and score hundreds of user, device, and transaction data in real-time to determine the precise authentication requirements for each transaction — are beneficial to organizations of all sizes while offering robust, risk-based security without compromising end-user convenience.  With so many frictionless options commercially available, it is more of a question or “why not” rather than “when.”

Bimal Gandhi, Chief Executive Officer at Uniken: 

isbuzz author male 1“Using SMS for authentication opens up several threat vectors for firms to worry about including device swap, SIM swamp and number porting. Companies using SMS should be put on high alert, as that data can be combined with commonly available personal information on the dark web and used in large scale attacks. While SMS is commonplace and easy to set up, companies need to make the right choice when choosing between doing what’s easy and doing what’s most secure for their customers and their firm.”