A Leaky Database Spilled 2FA Codes For the World's Tech Giants (techcrunch.com) 11
An anonymous reader quotes a report from TechCrunch: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users' access to their Facebook, Google and TikTok accounts. The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services. YX International claims to send 5 million SMS text messages daily. But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database's public IP address.
Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.
Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.
They just proved they can't be trusted (Score:3)
If they were willing to snoop on this data stream, what is their networking equipment sending home? Bei pu ku time for an executive?
TOTP (Score:3)
These companies need to support TOTP so we can
1) Not worry about security
2) Not wait forever for a message to appear
3) Not disclose our phone number to anyone
4) Not need a live phone tower connection
5) Not be forced to use some proprietary app instead which only works with their crap and spies on the users
6) Choose an open-source app that doesn't link to and depend on some tech giant....
I like FreeOTP+: https://play.google.com/store/... [google.com]
Re: (Score:2)
I love TOTP and use it on every web site that supports it. However, someone could just as easily screw up and expose a database of TOTP secrets. The beauty of TOTP is that no communication has to happen for you to get your authentication code, assuming the clock on your devices is fairly accurate. The weakness is that both the server and your device need to have access to the TOTP secret in cleartext form.
I use the Aegis [getaegis.app] TOTP program on my phone. It's open-source.
Re: (Score:2)
> 3) Not disclose our phone number to anyone
That's what they're after.
SMS are not proper 2FA (Score:4, Insightful)
Proper 2FA include a hardware key like a YubiKey [yubico.com], or an OTP authenticator like the Google Authenticator.
SMS-based 2FA is just Google, Microsoft or Facebook wanting to get your phone number: if they wanted to provide true security, they wouldn't use a highly insecure channel like SMS, and they wouldn't outsource sending the SMS codes to a company in Kosovo.
Re: (Score:2)
It is proper 2FA, because you need to know something (your password) and have something (your SIM card).
It is not the best 2FA, because it is hackable, but it's not not 2FA. There's a tradeoff between security and convenience and people won't pick arbitrary inconvenience to get security.
The SMS based version is quick and easy and most people have a convenient way of getting it back if they lose their phone, or its stolen. Anything which raises the convenience bar too high won't get used as much which will l
2fa is better, bigger, more! (Score:1)
If your plain old password is compromised, it's just your account or just your company's network.
If your 2fa system is compromised, it's *everyone's* account and network.