Insecure Database Exposed Two-Factor code, SMS, and Reset Link in Plain Text

Researcher found a database exposing massive juicy information that includes text message, Two-Factor Authentication codes, password reset links/codes etc, with other more data.

The database belongs to the Voxox (formerly Telcentris), a San Diego, Calif.-based communications company, that deals with Wholesale SMS, Wholesale Voice, Business VOIP and Cloud Communication Services.
The worst part is its server wasn't protected with password, allowing everyone to access its database.

This leaky database was found by Sébastien Kaul, a Berlin-based security researcher. Kaul found the exposed server on Shodan, which was configured with one of the sub-domain of Voxox.
He found that database was running on Amazon’s Elasticsearch and was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

On the blogpost, TechCrunch wrote

"At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher."

 As TechCrunch investigate/reviewed some of this leaky database, they found following thing within it —

• We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
• Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
• Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
• Many messages included two-factor verification codes for Google accounts in Latin America;
• A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
• We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
• Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
• We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
• Yahoo also used the service to send some account keys by text message;
• And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

As Vixox team got notification of the leaky database they immediately took the database offline. Moreover, now they are investigating the issue and following Standard data breach policy.

Till yet there is no evidence that the information was misused, but exposing this type of sensitive data (that too in plain text) could hijacked accounts within a seconds.

Source : TechCrunch