Aren't these basically open relays for SMS? Wouldn't they be buried under an avalanche of spam? I'm honestly mystified at how and why carriers expose these free SMS gateways. Am I missing something?
I used to work for a big public organisation, we had numerous SMS providers over the years. Most of them used HTTP (notice the lacking S) as the protocol and accepted simple POST actions with a key in the header (for everyone listening to read). When I left the service we used the most had moved to HTTPS by our request, but functioned the same way and was essentially bruteforceable because our password was 4 characters long and there was no limit on the service. I left in 2021.
I don’t think security is necessarily the most important thing to these companies.
About a decade back, we used to use the email approach at a non-profit I volunteered at. Annually we would need to send a bunch of texts of a short time period. Think "once a year event".
Eventually we had to stop using that solution. Most texts went through, but there were enough failures that we had to switch to twilio. I can't remember when; I guess 5 or 10 years ago? Getting old.
(We didn't immediately switch to twilio. There was one year during which we used my personal phone to send out an obscene number of texts from my personal phone number. Figured out that was a bad idea pretty quick.)
1. Latency. We really needed messages to go out to everyone all at once.
2. My personal phone became unusable for the rest of the event because people thought that number was a general event organizer contact mechanism. This was a big deal because I was a key member of the operations staff and really needed my phone to be useful.
Solving (1) and (2) was certainly doable, but twilio solved the problem for us and I had higher impact IT stuff to be working on for the org.
They’ve been sitting there, open, for a really long time — probably close to two decades. Maybe longer? It’s an arcane enough feature that they’d probably just kill the service altogether of they became problematic. Can be convenient for hobby dev projects.
I don’t think security is necessarily the most important thing to these companies.