Hidden Texting Vulnerability Across Major Carriers, Including Verizon and Apple, Finally Patched

The email‑to‑SMS gateway was introduced in the early 2000s to broaden SMS adoption, but it never received a security‑by‑design treatment. By treating email headers as phone numbers, carriers created an ambiguous parsing layer that attackers could manipulate with specially crafted characters. This legacy design flaw allowed malicious actors to insert forged messages directly into a user’s conversation thread, effectively bypassing the contact‑list verification that modern smartphones rely on for name display. The discovery underscores how outdated protocols can become attack vectors as messaging volume grows.

When UC San Diego disclosed the vulnerability, Verizon, T‑Mobile, Google and Apple acted within weeks to patch the parsing logic in their networks and messaging apps. Verizon’s decision to phase out email‑based texting by March 2027 represents a strategic move to eliminate the attack surface entirely, while Google Messages and iMessage now enforce stricter validation of sender identifiers. These coordinated fixes not only restore confidence in SMS but also set a precedent for rapid, cross‑industry response to emerging threats, highlighting the value of academic‑industry collaboration.

Looking ahead, the episode signals a broader industry shift toward formalizing standards for cross‑protocol message translation. Regulators and standards bodies may push for unified authentication frameworks that verify the origin of each SMS, similar to email’s SPF/DKIM mechanisms. Enterprises should audit their communication workflows for reliance on email‑to‑SMS gateways and consider alternative channels for critical alerts. For consumers, keeping devices updated and being wary of unexpected messages from known contacts remain essential defenses against sophisticated spoofing attacks.