Millions of people imperiled through sign-in links sent by SMS
摘要
最新研究发现,通过短信发送登录链接进行身份验证的网站正危及数百万用户的隐私安全,使其易受诈骗、身份盗窃等犯罪侵害。这些链接广泛用于保险报价、求职平台、宠物看护及家教推荐等服务。研究指出,超过175家服务商使用的700多个短信验证端点存在安全风险,攻击者可通过简单枚举安全令牌访问他人账户,获取包括未完成的保险申请在内的个人信息。
Websites that authenticate users through links and codes sent in text messages are imperiling the privacy of millions of people, leaving them vulnerable to scams, identity theft, and other crimes, recently published research has found.
The links are sent to people seeking a range of services, including those offering insurance quotes, job listings, and referrals for pet sitters and tutors. To eliminate the hassle of collecting usernames and passwords—and for users to create and enter them—many such services instead require users to provide a cell phone number when signing up for an account. The services then send authentication links or passcodes by SMS when the users want to log in.
Easy to execute at scale
A paper published last week has found more than 700 endpoints delivering such texts on behalf of more than 175 services that put user security and privacy at risk. One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL. By incrementing the token—for instance, by first changing 123 to 124 or ABC to ABD and so on—the researchers were able to access accounts belonging to other users. From there, the researchers could view personal details, such as partially completed insurance applications.
转载信息
评论 (0)
暂无评论,来留下第一条评论吧