SMS-delivered login links have created security risks for millions of users

Many online platforms - from insurance and recruitment services to educational portals - are increasingly moving away from the traditional “username-and-password” authentication model. Instead of relying on this approach, users receive an SMS containing a login link to access their accounts. Although this new method eliminates the need to remember passwords, recent research indicates that SMS-delivered “login links” can create significant security risks for users.

According to the study’s results, the systems responsible for delivering these links can compromise the privacy of millions of individuals. Researchers identified more than 700 technical endpoints used to distribute such links on behalf of over 175 services. Drawing on data collected from public SMS gateways (i.e., services that receive SMS messages via virtual numbers), they analyzed 33 million SMS messages sent to 30,000 numbers and extracted 322,949 unique URLs from those messages.

Experts note that, in such cases, it becomes significantly easier for third parties to gain access to users’ accounts. In 125 out of 701 services, the security token embedded in the link (the code appended to the end of the URL) was found to be vulnerable to sequential enumeration. An attacker can systematically modify the token contained in a legitimate link and test closely related variants - for example, substituting “ABD” for “ABC” or “124” for “123.” The study reports that, in certain cases, this technique enabled unauthorized access to other users’ accounts.

In some services, the number of possible token combinations is relatively limited, which increases the risk of accounts being compromised through brute-force attempts. In addition, many links remain active for extended periods, sometimes even for years, further increasing the likelihood of unauthorized access.

Another critical concern is the risk of intercepting SMS traffic, since SMS messages are often transmitted without encryption. Previous studies have also identified publicly accessible databases storing older SMS messages, including login links and other sensitive information. In particular, a 2019 incident reported the exposure of millions of messages exchanged between a company and its customers; the leaked content reportedly included usernames, account details, information related to financial applications, and other data.

The research notes that 701 endpoints associated with 177 services transmitted critical personal data through these weak links. As a result, attackers could obtain sensitive information, such as social security numbers, bank account details, and credit scores, either by guessing link tokens or by gaining access to SMS archives.

According to the information provided, the researchers contacted 150 major service providers to address the issue. However, only 18 companies responded, and just 7 of them fixed the identified gaps. The experts also advised users to report the issue to the relevant service where possible and to delete their personal data from such platforms.

In experts’ opinion, “login links” sent via SMS or email can be considered more trustworthy only when minimum security standards are applied. These standards include keeping the link valid for a short period (no more than 24 hours, or less), allowing it to be used only once, and generating the token in a sufficiently long and random form (at least 64 bits of entropy). In addition, applying a second authentication factor (for example, an extra password or 2FA) and limiting login attempts are also regarded as important measures to reduce risk.

Overall, the conclusion is that SMS-based login is now widely used and is unlikely to disappear entirely within a short period of time. For this reason, users should be aware that if some services fail to meet basic security requirements, it can create a real risk of confidential data being exposed and user accounts being compromised without authorization.