- SMS login links rely solely on possession, leaving private accounts dangerously exposed
- Weak tokens allow attackers to guess valid links and access other users’ accounts
- Unencrypted text messages remain a fragile basis for account authentication
Many online services now rely on login links or codes sent via SMS instead of traditional passwords, reducing account access steps and avoiding storing password databases, which attackers often hack.
Despite its convenience, SMS remains an unencrypted communications channel, making it vulnerable to interception, reuse, and long-term exposure.
And now, a new technical study has examined more than 322,000 unique URLs taken from more than 33 million SMS messages linked to more than 30,000 phone numbers, finding the messages linked to at least 177 digital services, including platforms offering insurance quotes, job offers and personal referrals.
Practical but at what price?
Even in a limited observation window using public SMS gateways, the review identified repeated exposure of sensitive user data across hundreds of service endpoints.
The main security flaw involved authentication systems that considered possession of a URL sent via SMS as sufficient proof of identity.
Anyone obtaining such a link could access users’ private information without further verification, which often included dates of birth, banking details and credit-related records.
The researchers also observed that 125 services used low-entropy tokens, which allowed valid links to be guessed by modifying the characters.
Some links remained active for months or even years, extending the risk well beyond the initial connection attempt.
Additionally, mismatches between visible interface elements and backend data requests caused unnecessary over-extraction of personal information.
The number of affected services is likely underestimated, given the narrow visibility provided by public SMS gateways.
SMS traffic travels without encryption, and previous revelations have shown that stored text messages can remain accessible long after they are delivered.
Despite these known limitations, SMS authentication continues to grow due to its perceived convenience and reduced reliance on password storage.
Of approximately 150 providers contacted during the study, only 18 acknowledged the reported weaknesses and even fewer implemented corrective actions.
These changes would have reduced the exposure of tens of millions of users, although most services offered no public response.
User-side defenses, such as a firewall, do little to reduce the risks created by faulty authentication logic.
Likewise, malware removal tools offer little protection when access requires nothing more than a valid link.
The findings raise questions about how identity theft protection services assess threats that arise from design choices rather than direct account compromise.
These issues highlight a structural reliance on service providers to correct weaknesses that remain largely invisible to affected users.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
