A technology company specializing in cellular networking equipment and SMS text message routing services has recently experienced a security lapse that may have impacted its users’ online accounts.
The internal database of the Asian technology and internet company, YX International, was found to be exposed, potentially revealing sensitive information that could grant access to popular online services like Facebook, Google, and TikTok.
The company, known for sending an impressive five million SMS text messages every day, offers a crucial service in getting time-sensitive messages to their intended recipients, such as one-time security codes or login links for various online platforms.
However, a security researcher named Anurag Sen stumbled upon the unsecured database, which was accessible to anyone with the knowledge of its public IP address and a standard web browser. Sen, who specializes in finding unintentionally exposed data sets on the internet, shared his discovery with TechCrunch in hopes of identifying the database’s owner and resolving the issue.
According to Sen, the database contained a wealth of information, including the contents of text messages sent to users, such as one-time passwords and password reset links for major tech companies like Facebook, WhatsApp, and Google, as well as popular social media app TikTok. The database also contained monthly logs dating back to 2023 and was continuously growing in size.
One of the primary concerns with the exposed database is the potential risk to 2FA, or two-factor authentication, which offers added security for online accounts by requiring an additional code to be entered, typically sent to a trusted device such as a phone. However, when it comes to SMS text messages, this form of 2FA is not foolproof, as messages are susceptible to interception or exposure, as demonstrated in this case.
Upon learning about the exposed database, TechCrunch also discovered sets of internal email addresses and corresponding passwords for YX International employees. The company was alerted to the issue, and the database was promptly taken offline. A YX International representative, choosing not to disclose their name, confirmed that the vulnerability had been addressed.
An interesting detail in this incident is that the YX International representative claimed that the server did not keep access logs, which would have shown if anyone other than Sen had accessed the database and its contents. As of now, it remains unknown how long the database was left exposed.
When contacted for comment, representatives for Meta, Google, and TikTok declined to respond.