A major security lapse has exposed millions of text messages and sensitive information like password reset links and therefore the two-factor authentication codes. The leaked info was hosted on server of California-based firm, Voxox.
The server was found on Shodan, a well-liked search engine for looking out publicly available devices and databases. The server is additionally connected to one of the Voxox’s subdomains. A report suggests that the leaky info contains nearly 26 million text messages in conjunction with their timestamps. The rationale behind the leak is that the server wasn’t password-protected, allowing anyone to snoop on the data.
Amazon Elasticsearch
Voxox server is running on Amazon’s Elasticsearch, making it easier to search and read the specific details from the database. The database configured with a Kibana front-end makes it super easy for anyone to browser and search database by names, cell numbers, and specific contents of text messages.
Two-factor authentication
Internet users are usually created to believe that two-factor authentication (2FA) is most secure. But Voxox server database contains 2FA text messages of a lot of users. The compromise information includes 2FA authentication codes. If this information goes within the wrong hands, it may even cause huge account takeovers.
Internet platforms like hq trivia, and Viber partner with school suppliers like Telesign and Nexmo to either verify user’s sign or send a two-factor authentication code. Voxox acts as a gateway to send and convert codes into text messages.
Each record of the text messages is correctly labelled and includes recipient’s phone numbers. An investigation found messages containing Microsoft account reset codes, Huawei ID verification codes. A number of hospitals send reminders to patients concerning future appointments and charge inquiries. The text messages contain theses details in addition.
Voxox is now investigating the matter and according to Kevin Hertz, the co-founder and CTO, the company has pulled the databases offline.