Think SMS MFA is keeping your users safe? Think again!

Lets say you regularly send your users SMS messages. One of the most common I see are MFA messages.

Now lets say that a malicious party gets SNS access (See my previous post on SNS vulnerabilities) for just a few of the ways that can happen).

Let’s say each user gets an endpoint for their device and each endpoint gets one topic they are subscribed to dedicated to that user.

Now imagine that a malicious user with elevated privileges created an endpoint(or likely multiple) for themselves and then subscribed that to the legitimate users SNS Topics.

Then every time you sent a legitimate user an MFA token guess who would also get that text? The malicious parties. In the infosec world this is called “Data Exfiltration”.

What can you do?

First obviously audit your IAM Roles, AWS Creds etc to be sure no one can get elevated access.

Beyond that, be really mindful of what you send out in those SMS messages. Are you sending any personally identifiable information with the SMS that would allow the malicious party to guess at the user’s username? If so that might be an issue.

Is it one of those damn “Magic Links” that just automatically logs you in? Then what is to stop the bad guy from opening that link before the legitimate user?