Carrier caught injecting ‘SMS AD’ into Google verification code message
SMS is widely regarded as an insecure form of two-factor authentication, and another example of this has just emerged. A carrier looks to be injecting ads into the Google verification code used to sign in to services like Gmail.
Action Launcher developer Chris Lacy today tweeted how his Google verification code — which starts with “G-” — featured an “SMS AD.” The advertisement — for a VPN — includes a quick message and short URL.
For those that immediately suspect this is just a phishing attempt, the verification code is legitimate and was requested by Lacy to successfully verify a login attempt. Google Messages even flagged the link/message as spam.
As such, Googlers responding to the thread suspect this is an occurrence of a carrier appending an ad — note the extra spaces — into a real text message. It’s very unlikely that Google’s security teams would allow advertising into a very crucial part of the login process where end user trust is paramount.
Update: some Googlers have chimed in and it looks like the ad portion was appended by my carrier to Google's 2FA message.https://t.co/4CGUOw3x2v
