Several partners at sent a six-digit two-factor authentication code via SMS for access to the company's outreach network įidelity Investment Group also sent a six-digit security verification code to a number belonging to the Chicago Loop area
#VOXOX REVIEW PASSWORD#
We found that dating app Badoo sent a password to a mobile phone number in Los Angeles with a clear text message When we receive a text message from a company, whether it's Amazon's express notification or the two-factor authentication code for the service, most people won't think about what's going on behind the scenes. Typically, application developers like HQ Trivia and Viber use technologies from companies such as Telesign and Nexmo , either to authenticate a user's mobile number or to send a two-factor authentication code. However, in which it acts as a gateway and is responsible for that code into a text message sent to the user's mobile phone over a cellular network but Voxox such companies.Īfter TechCrunch sent an inquiry, Voxox took the database offline. On shutdown, the database appears to have more than 26 million text messages since the beginning of the year. However, we can see the number of text messages processed per minute by the platform from the visual front end of the database, which indicates that the actual number may be higher.Įach record is carefully tagged and has detailed information, including the recipient's mobile number, the content of the message, the Voxox customer who sent the message, and the short code they used.īy a cursory review of the data, we found that: The problematic server belongs to Voxox (formerly Telcentris ), a communications company based in San Diego, California. The server is not password protected, and anyone who knows where to peek can see near real-time SMS traffic.Īs for the safety researcher in Berlin, Sébastien Kaul, he did not take long to find it.Īlthough Kaul found this unobstructed server on Shodan (a search engine for publicly available devices and databases), Voxox's own second-level domain name also points to it. To make matters worse, this database running on Amazon Elasticsearch is also equipped with a Kibana front end that makes the data easy to read, browse, and retrieve by name, mobile number, and text message content. The tens of millions of text messages in the database contained password reset links, two-factor authentication codes, and express notifications. A security error caused a huge database to be compromised.
0 kommentar(er)
