A technology firm that sends out millions of SMS messages globally has secured a confidential database with one-time security codes that could allow users to access Facebook, Google, and TikTok accounts.
The production of mobile network equipment and SMS text message routing services are handled by YX International, an Asian Internet and technology company. Regional carriers and carrier networks use SMS routing to send emergency text messages to the appropriate destination, such as users receiving SMS security codes or links to sign in.
YX International claims to send 5 million text messages per day.
But the tech company left one of its internal databases exposed to the Internet without a password, allowing anyone to access the sensitive data therein using just a web browser, just by knowing the public IP address of the database. Anurag Sen, an expert in detecting sensitive data sets that are accidentally exposed on the Internet and a real security researcher, discovered the database.
According to Sen, it was not evident who had the database or who would report the leak.
Sen reported that the data of text messages sent to users, such as one-time passwords and password reset links, is stored in the exposed database by some of the biggest tech companies such as online community includes companies such as Facebook, WhatsApp, Google, and TikTok.
.
The database has been holding monthly logs since July 2023 and is expanding at an average speed of 1200 kilobytes per minute. TheĀ use of two-factor authentication (2FA) helps prevent online account takeovers that rely on password theft by sending an additional code to trusted device.
For example, two-factor codes or even password resets like those found in the exposed database expire after a few minutes or after use.
SMS-based codes are less secure than more robust forms of 2FA, such as app-derived code generators, because SMS messages can be intercepted or exposed, or potentially leaked to a database.
Shortly after, the database was shut down.
YX International’s spokesperson, who chose to remain anonymous, responded that the company had closed this flaw.
A representative from YX International confirmed that the server does not keep access logs, which could help identify whether or not someone other than Sen has discovered the database and its contents.
YX International did not provide an indication on the timeline for the database’s exposure. The spokesperson of Meta opted not to comment when reached out to them via email.
No response was received from Google or TikTok in regards to requests for comment.