tech

February 1, 2026

Milioni ljudi se prijavljuju na naloge putem SMS linka, a to može da vas stavi u nezgodnu situaciju

Prijavljivanje bez lozinke putem SMS poruke deluje praktično i bezbedno, ali nova analiza otkriva ozbiljnu pukotinu u tom modelu. Istraživači su otkrili da kod velikog broja servisa sama posedovanja linka iz SMS-a funkcioniše kao dokaz identiteta, bez dodatne provere.

Milioni ljudi se prijavljuju na naloge putem SMS linka, a to može da vas stavi u nezgodnu situaciju

TL;DR

  • Passwordless SMS logins have a critical flaw: possession of an SMS link can grant access to private user data.
  • The vulnerability stems from the system's design, where the link itself is treated as sufficient identity proof.
  • An analysis of over 322,000 URLs from 33 million SMS messages across 177 services revealed this issue.
  • Sensitive data like birth dates and financial information can be accessed without additional authentication.
  • Some services used weak tokens, potentially allowing links to be guessed, and links remained active for extended periods.
  • Traditional security measures like antivirus software are ineffective against this design flaw.
  • Few companies have responded adequately after being notified of the vulnerabilities, with most remaining silent.
  • The convenience of SMS login comes with an often-unforeseen security cost for users.

Continue reading the original article