Study Finds Widespread Privacy Risks in SMS-Delivered URLs

Global: Security Risks of SMS-Delivered URLs Exposed in Large-Scale Study

A new academic study reveals extensive security and privacy vulnerabilities associated with short message service (SMS) links that grant direct access to online services. Researchers analyzed more than 322,000 unique URLs extracted from over 33,000,000 messages sent to approximately 30,000 phone numbers, uncovering systemic weaknesses that could be exploited by malicious actors.

Study Overview

The investigation focused on public SMS gateways, which relay messages containing clickable links to users. By aggregating data from a broad sample of carriers and service providers, the authors aimed to quantify the prevalence of insecure authentication practices and assess potential exposure of personally identifiable information (PII).

Data Collection and Scope

Data were gathered from a heterogeneous set of SMS traffic, encompassing a variety of geographic regions and service categories. The resulting dataset comprised 322,000 distinct URLs, each representing a potential entry point to a backend service. The scale of the collection allowed the team to identify patterns that would be invisible in smaller samples.

Key Privacy Vulnerabilities

Manual verification uncovered critical PII exposure in 701 endpoints across 177 distinct services. The compromised data included social security numbers, dates of birth, bank account numbers, and credit scores, indicating that the links functioned as de facto authentication tokens without additional safeguards.

Weak Authentication Mechanisms

Analysis of the underlying authentication model showed that many services rely solely on tokenized bearer URLs as proof of authorization. Consequently, anyone possessing a valid link can retrieve private user information, effectively bypassing traditional login requirements.

URL Enumeration Risks

The study identified 125 services that permit mass enumeration of valid URLs due to low entropy in token generation. This flaw enables automated discovery of active links, amplifying privacy risks beyond the initially compromised users.

Data Overfetching Issues

Further inspection revealed mismatches between graphical user interfaces and the data returned to clients. Specifically, 76 services performed data overfetching, delivering more information than requested and expanding the scope of inadvertent data leakage.

Remediation Efforts

According to the authors, 18 services have acknowledged the findings and implemented corrective measures, thereby improving the privacy posture for an estimated 120,000,000 users.

Implications for Service Providers

The results underscore the need for robust authentication frameworks that do not depend solely on opaque URLs. Experts suggest adopting multi-factor verification and implementing token generation schemes with sufficient entropy to deter enumeration attacks.

Future Directions

The researchers recommend ongoing monitoring of SMS-delivered links and further study of mitigation strategies, including the exploration of alternative delivery channels that provide stronger security guarantees.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.