Unlocked Backdoor Leaks Sensitive 2FA Information to the Internet

otp text, otp, one time password, text, SMS, YX International

Chinese telecommunications products manufacturer YX International had unintentionally leaked sensitive data to the internet, jeopardizing one-time password (OTP) text messages.

  • YX International provides SMS text message routing services, including OTP texts.
  • One of the company’s databases had been left exposed on the internet without password protection.

Good-faith security researcher Anurag Sen discovered that Chinese telecom products manufacturer, YX International, leaked sensitive data to the internet.

YX International is a Chinese technology internet company that manufactures cellular networking equipment while also providing SMS text message routing services. This company plays a major role in telecommunications on a global scale. It facilitates the transmission of millions of SMS text messages daily.

However, Anurag Sen, a good-faith security researcher known for uncovering data vulnerabilities online, identified the breach. With help from TechCrunch, Sen found that one of the company’s databases was left exposed on the internet without password protection. This oversight allowed unrestricted access to anyone with knowledge of the database’s public Internet Protocol (IP) address.

Hold on; it gets worse than an international company handling networks being neglectful.

The exposed database contained a trove of sensitive information that has been accumulating since July 2023, including text messages sent to users. You might be thinking how risky it is to access text messages about promo codes and H&M’s latest sales. But remember that these text messages also include OTPs and password reset links coming from major tech and online companies.

You might ask yourself, why is this so important? The simple answer is that it jeopardizes one of our most secure security measures: two-factor authentication (2FA). Some 2FA are linked to authenticator apps, which are app-based code generators, like Google Authenticator or Microsoft Authenticator. However, sometimes, 2FA will be SMS-based, meaning the system you are trying to log into will send your one-time password to your phone. And almost everything nowadays gives you the option of enabling two-factor authentication, from Instagram to PayPal.

This leak proves that these SMS messages are susceptible to interception and exposure. Not good. It breaks the user’s trust.

The investigation unearthed sets of YX International internal email addresses and associated passwords from the leaked database. So, their neglect harmed users and employees.

After Sen and TechCrunch notified the company, YX International took swift action, sealing the vulnerability and taking the database offline. Had it not been for some good Samaritan testing companies’ security and warning the company, YX International wouldn’t have known of their unlocked backdoor. That fact is chilling. God knows how many people found this and took advantage of it.

The affected tech giants, including Meta, Google, and TikTok, either remained silent or refused to comment. What are they supposed to say when a third party messes up this royally, anyway?

This situation leaves us with two questions. How does an international company that makes money transporting sensitive information forget to lock its backdoor? And is it time to redesign 2FA to something much more reliable?

Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Tech sections to stay informed and up-to-date with our daily articles.