AT&T, T-Mobile, and Verizon spring into action after threat to texters discovered

Verizon recently announced that it will shut down its legacy email-to-text feature by March 31, 2027. As it turns out, that wasn’t a random decision but rather stemmed from a security flaw that also impacted AT&T and T-Mobile.

Hackers can exploit a message translation and interpretation flaw

T-Mobile’s messaging gateway converting an email to a text. | Image by UC San Diego researchers

A security flaw that could let hackers fake their identity in smartphone texts has been patched in the US. The vulnerability was discovered by computer scientists at the University of California, San Diego, and affected iOS and Android devices across networks like AT&T, Verizon, T-Mobile, Google Fi, and Mint Mobile.The bug traces back to a functionality rolled out by carriers in the early 2000s that let customers send text messages via email. Because emails and text messages use entirely different formatting rules, an imperfect translation process occurs in which a lot can get lost. Because carriers typically treated email information as authentic, experts found a way to exploit the gap.

Incongruous

Email and text don’t work well together, per UC San Diego Department of Computer Science and Engineering professor Stefan Savage.

Email and text messaging weren’t designed to work together. It’s a little bit like reading postcards to someone over the phone and needing to figure out where the sender and recipient information and the message itself are.

Stefan Savage, UC San Diego professor, June 2026

Things get worse when an email translated into text reaches the victim. While Android and iOS check the sender’s identity against the contact list, attackers could hijack this process by inserting special characters to impersonate someone on the list. A masterfully crafted email address was enough to trip up a phone, causing it to mistake a cybercriminal for a known sender. Even more alarmingly, researchers added text into the middle of existing, active chat threads with trusted contacts, though attackers wouldn’t see the replies in such cases.

AT&T, Verizon, T-Mobile, and Google have changed the way email address fields are translated into texts to iron out the problem. Associated vulnerabilities in Google Messages and Apple Messages have also been addressed.

Unreliable

Verizon is shuttering the email-to-text feature. | Image by Verizon

The vulnerability thrived because the cellular ecosystem operates on the cozy assumption that the system that transmits text messages is reliable. It was compounded by the fact that there are no standards for converting emails to texts.

The report doesn’t say whether the vulnerability has been exploited.

You can never be too careful

Reports like these are reminders that the most benign-looking features can put you in harm’s way. The email-to-text feature isn’t wildly popular, which is probably why it slipped through the cracks and took more than two decades to uncover.