Online services often treat one-time links sent by text message as low-risk conveniences. A new study shows that these links can expose large amounts of personal data for years.
Malicious URLs continue to shift from email to SMS
According to to Proofpoint, cybercriminals favor malicious URLs over attachments, as they are easier to disguise and more likely to evade detection. These links are embedded in messages, buttons, and even inside attachments like PDFs or Word documents to entice clicks that initiate credential phishing or malware downloads.
SEKOIA.IO recently found out that exposed management APIs on industrial cellular routers were being abused to send phishing SMS messages.
Palo Alto Networks Unit 42 identified a large, coordinated smishing operation that uses hundreds of thousands of short-lived domains and brand impersonation to steal personal and financial data through SMS phishing messages worldwide.
Group-IB researchers report that fraudsters are abusing legitimate SMS-based services by repeatedly triggering verification and notification messages to generate illegitimate traffic, driving up messaging costs and infrastructure load for businesses.
How researchers collected data through public SMS gateways
In the study, the researchers built their dataset using public SMS gateways, websites that display messages sent to temporary phone numbers. From these gateways, they collected more than 33 million messages tied to over 30,000 phone numbers. From that pool, they extracted about 323,000 unique URLs.
Those links pointed to more than 10,900 domains. Many belonged to messaging platforms and verification services, while a long tail of smaller providers accounted for nearly half of the URLs. This mix allowed the team to study a wide range of design choices tied to SMS based access.
To understand what each link exposed, the researchers visited URLs using an automated browser. They captured page content, network traffic, and underlying HTML. They avoided form submissions and limited requests to reduce harm while still observing client side behavior.
The pipeline proceeds in four stages
Finding exposed personal data
The next phase focused on personal data exposure. The team used automated detection followed by expert review to identify user data. They examined visible page content along with hidden API responses and server-rendered data.
Out of roughly 147,000 accessible URLs, the researchers confirmed 701 endpoints that exposed personal data tied to users. These endpoints belonged to 177 different services.
The exposed data included names, phone numbers, email addresses, postal addresses, dates of birth, bank account details, Social Security numbers, and credit related fields. In many cases, several data types appeared together, allowing construction of detailed user profiles from a single link.
Private links that remain valid for years
One of the most significant findings involved how long these links remained active. All 701 confirmed URLs still worked when the researchers accessed them, often long after the original message was sent.
More than half of the exposed links were between one and two years old. About 46% were older than two years. Some dated back to 2019. Public SMS gateways rarely retain messages for that long, which suggests that the actual lifetime of many links may extend even further.
“The risk starts as soon as a private link is exposed, but it grows with time. The longer a link stays active, the more chances there are for abuse through logs, forwarding, compromised devices, message interception, phone number recycling, or third-party access. It’s similar to leaving a wallet in public: the longer it’s there, the more likely someone will eventually take it,” Muhammad Danish, Research Assistant at The University of New Mexico and co-author of the study, told Help Net Security
When the URL itself becomes the credential
In all of the confirmed cases, possession of the URL acted as the only requirement for access. The study describes this pattern as a bearer link model, where the link itself functions as the credential. Anyone holding the link could see the associated data.
In many services, the link carried a token passed to backend APIs. Some pages rendered data server side, while others fetched information after load. Only five services placed personal data directly inside the URL itself, though access results were similar once the link was opened.
This design assumes the link remains private. According to Danish, product pressure plays a central role in keeping this pattern widespread. SMS based “magic links” support smooth one tap workflows and align with mobile user expectations. Many service providers assume that links will only be accessed by the intended recipient and that private endpoints do not require additional protection. Repeated evidence shows that SMS does not provide a secure boundary, even though systems continue to rely on it as one.
When exposed links allow data modification and account takeover
Most exposed pages allowed read only access. Still, 15 services allowed adversaries to modify personal data. These cases involved prefilled forms that accepted edits without further checks.
One example involved a loan application page where the link opened an editable form containing extensive financial and identity information. During testing, the same token sometimes resolved to different users, increasing exposure beyond the original recipient.
Account takeover appeared in six services. In these cases, opening the link placed the visitor into an authenticated session. Attackers could view private dashboards and change email addresses or passwords.
The researchers observed these behaviors on job platforms and tutoring services where short links led directly into user accounts, collapsing the separation between viewing a page and being treated as the user.
Extra data hiding in network traffic
In 76 services, backend systems sent more personal data than the page displayed. Network responses and server-rendered HTML included fields never shown on screen.
In one case, an order tracking page displayed an address, while API responses included phone numbers, geolocation data, and driver details. In another, a loan service returned bank routing numbers and Social Security numbers that were only visible in network logs.
This data became reachable as soon as the link was opened, even before the page finished loading. Danish said these exposures often escape notice because testing focuses on visible interface elements. Reviewing network traffic requires additional time and specialized knowledge. In some cases, excess data remains due to convenience during development. In others, older code paths persist after interface changes, leaving sensitive fields embedded in responses long after they are needed.
Weak token design enables mass exposure
Token design played a major role in expanding impact. The researchers analyzed token length and character sets to estimate entropy. Tokens with less than 64 bits of entropy, meaning they were easier to guess, were flagged as weak. About 73% of token based services fell into this category. In manual testing, the team accessed another user’s data within ten guesses for 13 services.
Some tokens reused internal identifiers such as quote numbers. Incrementing a value often returned a different customer record. Short links compounded the issue when they redirected to stronger URLs, since attackers only needed to guess the weakest component.
Secondary verification checks that fail under pressure
Only a small number of services used secondary verification checks, and those checks provided little protection. Services layered them onto SMS-delivered private URLs and relied on static personal details, most often date of birth or ZIP code, to control access. The designs assumed the information would stay private and be hard to guess. Four services allowed repeated guesses with no limits, lockouts, or alerts, which made repeated attempts possible.
The checks also exposed additional information. One service revealed an age range after an incorrect date-of-birth entry, which narrowed the set of possible values. Another service sent the required verification details in other SMS messages to the same phone number, allowing access to one message to expose the rest.
Rethinking trust in SMS delivered access
The study challenges a quiet assumption embedded in digital services that SMS delivery creates a sufficient boundary of trust. Treating URLs as credentials shifts security from authentication systems into message handling, device hygiene, and telecommunications infrastructure, areas most service providers do not control.
The researchers disclosed their findings to 150 affected services, reporting issues individually rather than through a coordinated program. Only 18 services responded, and seven implemented fixes. Follow-up phone calls improved engagement in a small number of cases. A 12% response rate suggests that most reported exposures remained unacknowledged, leaving affected links active and user data accessible for extended periods.
As long as private links are designed for convenience first and lifecycle management second, exposure becomes an inevitability.