Study finds SMS sign-in links expose users’ personal data at scale

Recently published research by teams from the universities of New Mexico, Arizona, Louisiana, and the firm Circle found that websites using sign‑in links and codes sent by SMS are imperiling the privacy of millions of people and leaving them vulnerable to scams, identity theft, and other crimes.

The researchers collected 322,949 unique SMS‑delivered URLs from more than 33 million texts sent to over 30,000 phone numbers by viewing public SMS gateways. They identified messages originating from 701 endpoints sent on behalf of 177 services that exposed "critical personally identifiable information," and said more than 700 endpoints delivered such texts for more than 175 services that put user security and privacy at risk.

The study found multiple weak practices: tokens in links could be enumerated or brute‑forced, some links allowed access or modification of user data with no further authentication, and many links remained valid for years. The researchers warned that anyone with a link could obtain personal information including Social Security numbers, dates of birth, bank account numbers, and credit scores, and that the attacks were "straightforward to test, verify, and execute at scale." The researchers cautioned their view is limited by only examining public SMS gateways and likely undercounts the true scope.

Of 150 affected providers the team contacted, only 18 responded and seven fixed the failures.

Key Topics

Tech, Public Sms Gateways, Token Enumeration, Magic Link, Circle, Personal Data