Millions of SMS Messages – Some of Which Contained Login and Authentication Codes – Have Been Exposed

We have talked in the past about how using text messages as a means of transferring sensitive information is not a very good idea. The technology behind SMS messages is simply too old, and the increasing popularity of SIM swapping make this form of communication unsuitable for things like 2FA codes. Last week, Noam Rotem and Ran Locar found out that SMSs can expose data in other scenarios as well.

People interested in cybersecurity news will recognize Rotem and Locar as the people heading a team of researchers from VPN Mentor. Over the last few months, they have been working on a web mapping project designed to "make the internet safer for all users". The experts are doing this by identifying servers and databases that expose sensitive information, and they've been responsible for the discovery of a few enormous leaks. On November 26, they found another one.

An SMS solutions provider leaves tens of millions of text messages in an exposed database

Last Tuesday, Rotem and Locar discovered an Elasticsearch database that was hosted by Microsoft Azure and ran on Oracle Marketing Cloud. It held close to 1 billion entries containing a total of 604 GB of information, and the experts quickly realized that it was put up by TrueDialog, a company providing various SMS services to businesses all around the world.

Someone at TrueDialog placed all those entries in an internet-facing database and then forgot to secure them with a password. As a result, although Elasticsearch installations usually aren't accessible through a browser, the researchers managed to not only find them but also scan through them with the help of URL manipulation.

Among the exposed records, Rotem and Locar located tens of millions of text messages sent to end-users with the help of TrueDialog's services. The database revealed not only the content of the messages but also their timestamps and the recipients' phone numbers. According to TechCrunch's Zack Whittaker, who has also seen the data, most of the exposed SMSs contained job alerts, marketing, and other relatively inconsequential messages, but there were also texts that carried two-factor and login codes, including ones for online medical services and websites like Facebook and Google. Unfortunately, these are far from the only pieces of sensitive information that got exposed.

TrueDialog exposed plenty of login credentials as well

In addition to the text messages, Rotem and Locar also found millions of email addresses, usernames, and passwords. Some passwords were stored in plaintext while the rest were encoded with Base64, which is ridiculously easy to reverse. These all belonged to TrueDialog customers who could have incurred a lot of damage as a result of the exposure. Unfortunately, unsuspecting end-users were also put at risk.

Hundreds of thousands of records contained personal data that belonged to real individuals, including names, physical and email addresses, phone numbers, etc. Unfortunately, the experts can't say how many users were affected because of a problem with the database's search functionality. According to Rotem and Locar, however, TrueDialog's SMS solutions can send texts to as many as 5 billion subscribers, and you can probably imagine what would happen if even a small portion of those people end up with their data exposed.

TrueDialog buries its head in the sand

As you'd expect, Noam Rotem and Ran Locar tried to get in touch with TrueDialog immediately after they discovered the exposed database. Within less than a day, the misconfigured Elasticsearch installation was taken offline, and the leak was secured. The reaction was indeed quick, but overall, TrueDialog can serve as an example of how not to respond to a data security incident.

The company failed to reply to Rotem and Locar's emails, and it remained silent even after Zack Whittaker tried to get in touch. The volume of data that was exposed is significant, and although there's no evidence of someone actively abusing it, the damage it can potentially cause is enormous. The leak was triggered by a configuration error, and in an ideal world, the company responsible for it would try to be as transparent as possible about what happened and what's been done to ensure that users don't end up in the same situation again. In an ideal world, the said company wouldn't be storing passwords in a woefully insecure manner, either. Unfortunately, this is not an ideal world, and TrueDialog is acting as if nothing has happened.