Despite using passwords and SMS-based one-time passwords, access to your online banking account, private email, or social media profiles could be compromised.
This scenario was possible due to a security lapse at the British bulk SMS provider IdentifyMobile, which processes a large volume of SMS traffic daily for numerous major clients. Many of these messages are part of two-factor authentication (2FA) processes, intended to enhance security by sending a second authentication factor via SMS.
The Chaos Computer Club (CCC) discovered that every SMS IdentifyMobile sent on its clients’ behalf since August 2023 was stored on an unsecured Amazon Web Services (AWS) S3 server. Due to a developer error, the server was accidentally made accessible to anyone who knew its web address, with no passwords or encryption protecting the data.
The CCC, a well-known security research organization, published its report today stating that it had real-time access to over 200 million SMS messages from more than 200 companies.
In an email conversation, the researchers confirmed that the data was written in static intervals, meaning an attacker could time the 2FA request to ensure the code is received before it expires. In other words, 2FA services usually expire tokens in a few minutes (anywhere from 5 to 30 typically). It would make no difference if a malicious threat actor could also access this exposed S3 bucket, which is unclear if someone other than CCC did.
According to CCC, the exposed data included not only SMS message content but also phone numbers, sender names, and sometimes other account information.
This aligns with our recent report on Twilio, which alerted users on July 3 to a security incident involving iBasis (a backup carrier) that had used IdentifyMobile (iBasis’s further backup carrier). Based on the Twilio report, we can say that the data was accessible to the public between May 10 and May 15, 2024, as CCC did not mention explicit dates.
According to Twilio, in collaboration with iBasis, the exposed bucket was directly accessed between May 13 and 14. They confirmed that CCC had accessed it but added, “We do not have evidence that allows us to confirm that no other third party accessed the data.”
CCC findings
The CCC, being at the right place at the right time, was able to access this exposed bucket by guessing its subdomain name. The data they found inside included SMS contents, recipients’ phone numbers, sender names, and other SMS metadata.
To truly misuse the SMS codes, attackers would typically still need the password. However, “1-click login” links were also included in the data. For some large affected companies, only individual services were protected by IdentifyMobile.
Their research into the data revealed that over 200 companies were affected, including prominent names like Google, Amazon, Facebook, Microsoft, Telegram, Airbnb, FedEx, and DHL. In total, they were able to identify over 198 million SMS messages.
CCC disclosed that they saw SMS contents such as:
- WhatsApp codes
- Transaction authorization numbers (TANs) for financial transactions
- “1-click login” links
For example, they were able to access SMS content like this:
WhatsApp code: 2342
You can also tap on this link to verify your phone:
v.whatsapp.com/2342
Do not share this code.
-------------------------
Transfer to DE63 4306 0967 1239 7690 03
Amount: 1,312.00 EUR
TAN: 161161
Please enter this TAN to complete the transaction.
This TAN is valid for 5 minutes.If this information fell into the wrong hands (and we don’t know if it did), it could be sold on the dark web. Criminals could exploit TAN (Transaction Authentication Number) codes for financial transactions to authorize fraudulent transfers, moving money into accounts they control. The same goes for one-click login links, which could be used to hijack user authentication sessions.
Admittedly, based on what we know, these SMS contents were exposed for only a few days, from May 10 to May 15. However, even this brief window represents a serious security lapse. During these few days, attackers could have accessed sensitive information and created backups of it—CCC has not mentioned what else was stored in the AWS bucket.
Even if attackers couldn’t utilize the authentication codes because of certain limitations, they’d still get away with data such as phone numbers, names, and other data stored in the database. CCC has stated that while they did not retain the data, they cannot rule out the possibility that others may have accessed it.
IdentifyMobile has not made any public statements so far, and we’re also trying to get a direct quote from them.
