In a recent report by TechCrunch, a database managed by Voxox that is responsible for sending authentication and 2FA SMS for major companies like Microsoft and Google was discovered to be open to access. Without any password on the database, it could have been accessed by anyone who knew about it. The vulnerability was found by Sebastien Kaul, a security researcher based in Berlin. However, the database was taken down by Voxox when contacted by TechCrunch.
2FA is the additional code sent by the service provider that allows users to log in to their respective websites and apps through an additional layer of security. However transactional messages do not have such security measures implemented and could have been modified by hackers to show fraudulent transactions that could have led users to targeted phone numbers used by hackers.
This would have potentially helped the hackers to take control of the user’s accounts in a traditional phishing attack except for this time they were led by the major services themselves.
The server was found to be active even after the discovery of the flow and is suspected that some third-party hackers might have gained access to it in the meantime. It could have been accessed as a live stream of personal data including 2-factor authentication messages and password reset messages. If the data would have tampered, it could have easily led the hackers to gain access to 26 million messages.
This is the quick reminder to use authenticator apps like Google Authenticator that provide an alternative to 2FA by allowing users to use temporary codes on supported website and apps. This is much more secure than traditional SMS based authentication and allows users to maintain the security within their app itself. There have been attempts at phishing authenticator app but still, they have been foiled by one way or the other.