Skip to main content

SMS-Delivered URLs: Security Risks of Frictionless User Experience

N2K NetworksJanuary 31, 202622 min52 views
29 connections·40 entities in this video→
Capture as you watch

Save any video to veridive in one click.

The free veridive Chrome extension pulls the transcript from any YouTube video or podcast you're watching β€” ready to ask, cite, and connect.

Add to Chrome

The Problem with Frictionless SMS URLs

  • πŸ’‘ SMS-delivered URLs are often designed for a frictionless user experience, leading to relaxed authentication and security checks.
  • ⚠️ This implicit trust that only intended users will access the link is dangerous, as SMS is an insecure and unencrypted channel.
  • πŸ“Œ Many services prioritize user experience over security, making it easy for users to click links without additional verification like OTP codes.

Widespread Security Failures Found

  • πŸ” Researchers analyzed over 322,000 unique URLs from 33 million messages, uncovering widespread security failures.
  • 🎯 Exposed PII was found across 701 endpoints at 177 services due to weak, token-based authentication.
  • πŸ“ˆ The study identified low-entropy tokens enabling mass URL enumeration and data overfetching issues.
  • 🧩 In some cases, changing a single character in a URL could grant access to another user's sensitive information, like insurance applications.

Overfetching and Exposed Data

  • πŸ“Š The research highlighted overfetching, where backends send more data than is visible in the UI.
  • ⚠️ This includes sensitive PII like names, email addresses, phone numbers, and even bank account details, credit scores, and social security numbers.
  • πŸ’» Even if not visible on the UI, this data can be found in network logs, which are often not audited.

Challenges in Responsible Disclosure

  • πŸ“ž Companies were difficult to reach, with many lacking proper security or vulnerability disclosure pages.
  • πŸ“§ Even when contacted, responses were slow or non-existent, with some companies dismissing security emails as spam.
  • βœ… Out of over 100 reported issues, only 17 companies responded, though 18 services eventually fixed flaws, improving privacy for millions.

Recommendations for Developers and Users

  • πŸ› οΈ Developers have access to good practices but often fail to implement them, prioritizing user experience over security.
  • ⚠️ Users should be cautious about entering sensitive information on less established or seemingly insecure websites.
  • πŸ’‘ The core issue is a lack of awareness and implementation of existing security best practices by service providers.
Ask, don't scrub

Discover the spoken web.

veridive answers questions with exact timestamps and citations β€” across every podcast, video, and article you've saved.

Open Chat
Knowledge graph40 entities Β· 29 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover Β· drag to explore
40 entities
Chapters8 moments

Key Moments

Transcript81 segments

Full Transcript

Follow the thread

Find every place these ideas show up.

veridive maps the same people, claims, and topics across thousands of sources β€” so you can trace an idea from one conversation to the next.

Explore more
Topics12 themes

What’s Discussed

SMS SecurityURL SecurityFrictionless User ExperiencePersonally Identifiable Information (PII)AuthenticationToken-based AuthenticationURL EnumerationData OverfetchingResponsible DisclosureCybersecurity ResearchAPI SecurityGraphQL
Smart Objects40 Β· 29 links
PeopleΒ· 2
ProductsΒ· 2
MediasΒ· 4
ConceptsΒ· 26
CompaniesΒ· 4
EventsΒ· 2
veridive

Hours of content, seconds to the answer.

Save what you listen to. Ask it anything. Watch the threads between sources surface on their own.

Get started free