Hundreds of online services allow hacking accounts through vulnerabilities in SMS links.
Today, you can access your account with just one click of a link sent via SMS. It's convenient, fast, and password-free. But researchers have discovered that this very simplicity poses a serious threat to the privacy of millions of people worldwide.
A study has shown that websites that authorize users via links and codes in text messages expose them to widespread risk of fraud, identity theft , and personal data breaches. These include common services such as job boards, insurance quote sites, pet sitters, tutors, and other everyday services. Instead of a username and password, users are prompted to enter a phone number, and upon logging in, the system sends a link or code via SMS.
The problem is that in many cases, such links are extremely insecure. Scientists have discovered over 700 technical points through which SMS messages are sent on behalf of 175 services. Many of these services use easily guessable tokens in links. Changing just a few characters in the address can give access to someone else's account. In practice, the researchers were able to view other users' personal data, including partially completed insurance forms, and in some cases, they could theoretically perform actions on their behalf.
Some services used such primitive code combinations that they could be brute-forced. In other cases, the link in the SMS itself granted full access to data without any additional verification. Moreover, some of these links remained functional for years after being sent, further increasing the risk of unauthorized access.
The situation is exacerbated by the fact that SMS messages are not encrypted. In 2019, experts already discovered exposed databases containing millions of saved messages, containing login links, names, addresses, usernames, passwords, financial requests, and other confidential data.
The study collected over 322,000 unique links from 33 million SMS messages sent to over 30,000 numbers. 701 of these links were linked to services that exposed critical personal data , including dates of birth, bank account numbers, credit ratings, and even social security numbers. 125 services were found to be susceptible to mass link bruteforce attacks due to weak token generation algorithms.
The authors of the study emphasize that the true scale of the problem is likely much larger. They studied only public SMS gateways, where people can receive messages to temporary numbers without revealing their phone numbers. Examples of such gateways can be found here and here . This provides only a limited understanding of how widespread this insecure authentication scheme is.
Researchers clearly state that the primary responsibility lies with the services themselves, not users. It's difficult for people to protect themselves because vulnerable platforms include large, well-known companies with millions of customers. Users' only recourse is to report problems to the services and delete their data if it becomes clear that their protections are insecure.
However, the very idea of "magic links" isn't inherently evil. If they have a cryptographically strong token, are single-use, and have a strict time limit, such a mechanism can be relatively secure. Some websites use similar email authentication, where the link is valid for a limited time and is additionally protected by two-factor email authentication . However, for large services, banks, and email platforms, such methods are considered unacceptable due to the volume of stored data and the difficulty of restoring access.
The study shows that improving user experience increasingly trumps security. However, of the 150 companies the researchers contacted, only 18 responded, and only seven implemented actual fixes.
While the practice of logging in via SMS links continues to spread, users should be aware that such messages may not only be a way to log into their accounts, but also a potential leak of their most sensitive data. And judging by the industry's response, this problem isn't going away anytime soon.
Today, you can access your account with just one click of a link sent via SMS. It's convenient, fast, and password-free. But researchers have discovered that this very simplicity poses a serious threat to the privacy of millions of people worldwide.
A study has shown that websites that authorize users via links and codes in text messages expose them to widespread risk of fraud, identity theft , and personal data breaches. These include common services such as job boards, insurance quote sites, pet sitters, tutors, and other everyday services. Instead of a username and password, users are prompted to enter a phone number, and upon logging in, the system sends a link or code via SMS.
The problem is that in many cases, such links are extremely insecure. Scientists have discovered over 700 technical points through which SMS messages are sent on behalf of 175 services. Many of these services use easily guessable tokens in links. Changing just a few characters in the address can give access to someone else's account. In practice, the researchers were able to view other users' personal data, including partially completed insurance forms, and in some cases, they could theoretically perform actions on their behalf.
Some services used such primitive code combinations that they could be brute-forced. In other cases, the link in the SMS itself granted full access to data without any additional verification. Moreover, some of these links remained functional for years after being sent, further increasing the risk of unauthorized access.
The situation is exacerbated by the fact that SMS messages are not encrypted. In 2019, experts already discovered exposed databases containing millions of saved messages, containing login links, names, addresses, usernames, passwords, financial requests, and other confidential data.
The study collected over 322,000 unique links from 33 million SMS messages sent to over 30,000 numbers. 701 of these links were linked to services that exposed critical personal data , including dates of birth, bank account numbers, credit ratings, and even social security numbers. 125 services were found to be susceptible to mass link bruteforce attacks due to weak token generation algorithms.
The authors of the study emphasize that the true scale of the problem is likely much larger. They studied only public SMS gateways, where people can receive messages to temporary numbers without revealing their phone numbers. Examples of such gateways can be found here and here . This provides only a limited understanding of how widespread this insecure authentication scheme is.
Researchers clearly state that the primary responsibility lies with the services themselves, not users. It's difficult for people to protect themselves because vulnerable platforms include large, well-known companies with millions of customers. Users' only recourse is to report problems to the services and delete their data if it becomes clear that their protections are insecure.
However, the very idea of "magic links" isn't inherently evil. If they have a cryptographically strong token, are single-use, and have a strict time limit, such a mechanism can be relatively secure. Some websites use similar email authentication, where the link is valid for a limited time and is additionally protected by two-factor email authentication . However, for large services, banks, and email platforms, such methods are considered unacceptable due to the volume of stored data and the difficulty of restoring access.
The study shows that improving user experience increasingly trumps security. However, of the 150 companies the researchers contacted, only 18 responded, and only seven implemented actual fixes.
While the practice of logging in via SMS links continues to spread, users should be aware that such messages may not only be a way to log into their accounts, but also a potential leak of their most sensitive data. And judging by the industry's response, this problem isn't going away anytime soon.
