Recent research has identified significant privacy risks in websites that authenticate users via links or codes sent through text messages. This method, used by numerous services like insurance, job listings, and referrals, exposes millions to potential scams and identity theft.
To simplify the login process, many services require users to submit a phone number instead of creating a traditional username and password. When a user attempts to log in, a link or passcode is sent via SMS. However, a paper published last week identified over 700 endpoints used by more than 175 services that compromise user security and privacy.
One critical issue is the use of easily enumerable links—those that can be guessed by adjusting the security token in the URL. Such modifications might involve changing '123' to '124' or 'ABC' to 'ABD,' enabling unauthorized access to personal accounts. This could allow attackers to view sensitive information or conduct business under another user's identity.
Furthermore, some authentication links have minimal token combinations, making them susceptible to brute force attacks. Additionally, some links grant access or allow data modification with just a single SMS click, lacking any further authentication. Alarmingly, several links remain active for years, increasing the potential for unauthorized use in the long term.