Totally agree. The message content should be private and not accessible by employees. Kind of scary when you think that so many 2FA codes are sent via Twilio.
Exactly. A malicious employee could login as any user to popular services like WhatsApp, Telegram and others that are SMS auth only, simply by knowing which endpoint to hit to kickoff an auth session initiation. I hope I am not understanding this exploit correctly. This would be a massive failure on Twilio part to allow employees access to the auth code.
