Voxvox Data Leak Exposes Millions of Messages

Voxvox, formerly known as Telcentris, is a communications company based in San Diego, California. The company’s primary function is that of a gateway – it transforms the shortcode from other companies into texts and numbers.

In layman’s terms, the company is that space in between a user and a company, Voxvox is what happens when you receive a text message from a company – say a message about your Ebay order or a code for your login. Voxvox is one of the companies that converts the code coming in from the company and passes it on to the cell networks in order for it to be delivered to a user’s phone.

Example of a text message that contains a user’s information: their phone number as well as their Microsoft account reset code. (source)

The flaw was discovered by security researcher  Sébastien Kaul – the database in question was running Elasticsearch by Amazon, and the exposed served was found on Shodan, a search engine for services and databases that can be accessed by the general public.

This allowed the Voxvox data to be available to literally anyone who had an idea what they were looking for  – all that was needed was a name, cell number or even partial content in text messages in order to be able to search through the entire database.

Voxvox pulled the database offline almost immediately after being made aware of the issue and the company is currently looking into the problem and might release an official impact report soon.

Over 26 million messages were stored in the database; the problem on hand though is not what users might do with the data they found but if that data has already been used long before Voxvox was made aware of the issue because the data contained within the server is temporary and once it goes offline, it’s not useful anymore.

SMS based two-factor authentication is slowly becoming a thing of the past and if what happened to Voxvox is to serve us in any way, hopefully it will be to make the SMS-based system obsolete.