Digital service providers often prioritize a frictionless user experience by adopting technologies that simplify access to their services. One widely used mechanism is the Short Message Service (SMS) to deliver links (URLs) that enable single-click access to online services with little to no resistance. However, SMS is inherently insecure, and numerous reports have documented message interception and data leaks. Thus, attributing excessive trust in such an insecure channel opens avenues for unintended access and exploitation by adversaries. In this paper, we present a comprehensive investigation of the implications of SMS-delivered URLs from the lens of public SMS gateways. We conduct the study on more than 322K unique SMS-delivered URLs extracted from more than 33 million messages across more than 30K phone numbers, revealing critical security and privacy vulnerabilities. We identify and validate critical Personally Identifiable Information (PII) exposure in 701 endpoints affecting 177 services. Our manual investigation of the root cause of the exposure reveals a weak authentication model which hinges upon tokenized bearer links as sufficient authorization proofs, thereby allowing anyone with the URL to access private user information, including social security number, date of birth, bank account number, and credit score. Additionally, we identify 125 services allowing mass enumeration of valid URLs due to low entropy within tokens, thereby cascading the privacy risks beyond the initially compromised users. Furthermore, we identify mismatches between the GUI and data fetched by the client, extending the scale of privacy leakages. Particularly, we identify 76 services that perform data overfetching. Finally, 18 services have acknowledged and addressed the weaknesses in their services, thereby enhancing the privacy of at least 120M users.

翻译：数字服务提供商通常优先考虑无缝用户体验，采用简化服务访问的技术。其中一种广泛使用的机制是通过短消息服务（SMS）投递链接（URL），使用户能够以极低阻力实现单点点击访问在线服务。然而，SMS本质上并不安全，大量报告已记录消息拦截和数据泄露事件。因此，过度信任此类不安全信道为攻击者提供了非预期访问和利用的途径。本文从公共SMS网关的视角，对SMS投递URL的影响进行全面研究。我们基于从超过3.3万条手机号码的3300余万条消息中提取的逾32.2万个独立SMS投递URL展开分析，揭示了关键的安全与隐私漏洞。我们在涉及177项服务的701个端点中识别并验证了关键个人可识别信息（PII）暴露问题。通过人工调查暴露根源，我们发现其认证模型存在缺陷——仅依赖令牌化承载链接作为授权凭证，导致任何持有URL者均可访问包括社会保障号码、出生日期、银行账户号码及信用评分在内的用户私密信息。此外，由于令牌熵值过低，我们识别出125项服务存在有效URL的大规模枚举漏洞，使得隐私风险从初始受陷用户向外扩散。同时，我们发现客户端图形界面与获取数据间存在不匹配现象，进一步扩大了隐私泄露范围，特别识别出76项服务存在数据过量获取问题。最终，已有18项服务确认并修复了其服务中的缺陷，从而提升了至少1.2亿用户的隐私安全水平。