This study addresses critical security and privacy vulnerabilities in single-point authorization URLs commonly embedded in SMS messages, which suffer from insecure transmission and weak authentication mechanisms, leading to sensitive user data exposure. Through the first large-scale empirical analysis of 322,000 such URLs extracted from a dataset of 33 million SMS messages, the authors combine personally identifiable information (PII) detection, token entropy evaluation, and front-end/back-end consistency checks to uncover three major risks: 701 endpoints leaking PII across 177 services, 125 services vulnerable to enumeration attacks, and 76 services over-collecting user data. The findings prompted 18 service providers to patch their systems, enhancing privacy protections for over 120 million users, and systematically expose fundamental flaws in SMS-based link authentication for the first time.

Digital service providers often prioritize a frictionless user experience by adopting technologies that simplify access to their services. One widely used mechanism is the Short Message Service (SMS) to deliver links (URLs) that enable single-click access to online services with little to no resistance. However, SMS is inherently insecure, and numerous reports have documented message interception and data leaks. Thus, attributing excessive trust in such an insecure channel opens avenues for unintended access and exploitation by adversaries. In this paper, we present a comprehensive investigation of the implications of SMS-delivered URLs from the lens of public SMS gateways. We conduct the study on more than 322K unique SMS-delivered URLs extracted from more than 33 million messages across more than 30K phone numbers, revealing critical security and privacy vulnerabilities. We identify and validate critical Personally Identifiable Information (PII) exposure in 701 endpoints affecting 177 services. Our manual investigation of the root cause of the exposure reveals a weak authentication model which hinges upon tokenized bearer links as sufficient authorization proofs, thereby allowing anyone with the URL to access private user information, including social security number, date of birth, bank account number, and credit score. Additionally, we identify 125 services allowing mass enumeration of valid URLs due to low entropy within tokens, thereby cascading the privacy risks beyond the initially compromised users. Furthermore, we identify mismatches between the GUI and data fetched by the client, extending the scale of privacy leakages. Particularly, we identify 76 services that perform data overfetching. Finally, 18 services have acknowledged and addressed the weaknesses in their services, thereby enhancing the privacy of at least 120M users.