Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK

mood · Jul 21, 2020

Twilio: Someone broke into our unsecured AWS S3 silo, added 'non-malicious' code to our JavaScript SDK
API dev kit remained modified for hours, says source
July 21, 2020
https://www.theregister.com/2020/07/21/twilio_sdk_code_injection/

Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK used by its customers.

The cloud communications giant detailed the intrusion to The Register after we were tipped off to the security blunder by a source who wished to remain anonymous. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "non-malicious" code that appeared designed primarily to track whether or not the modification worked.

"These measures were implemented within 12 hours to resolve the issue. We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code or data."
Click to expand...

Given that TaskRouter.js serves as one of the link-ups between business applications and the TaskRouter service, this could have been a much worse attack.
In the meantime, if you recently downloaded and deployed a copy of the SDK, you might want to check you have a clean version.
Click to expand...

mood · Jul 23, 2020

mood said: ↑

Twilio: Someone broke into our unsecured AWS S3 silo, added 'non-malicious' code to our JavaScript SDK July 21, 2020
Click to expand...

Updated (July 22, 2020):

Updated to add on July 22
Twilio has now published its incident report. We're told the modification was undetected for eight hours, and made possible by an S3 access policy that left the SDK readable and writable by anyone. The development kit was vandalized as part of an automated cyber-crime campaign that preys on JavaScript code in open S3 buckets to inject malicious ads into browsers.
Click to expand...

mood · Jul 24, 2020

Misconfigured S3 exposes Twilio users to Magecart attack
July 23, 2020
https://www.scmagazine.com/home/sec...d-s3-exposes-twilio-users-to-magecart-attack/

A misconfiguration in an S3 bucket that was hosting a Twilio Javascript library caused a bad threat actor to inject code that made Twilio users load an extraneous URL on their browsers that has been associated with the Magecart group of attacks.

Twilio said it does not believe this was an attack targeted at Twilio or any of its customers. Rather, the attack appears opportunistic and related to a large and well-known campaign to find and exploit open AWS S3 buckets on the Internet for financial gain.

“The Twilio compromise was another example of misconfigured Amazon S3 buckets used as an attack vector,” said Jordan Herman, a threat researcher at RiskIQ. “Because of how easy they are to find and the level of access it grants attackers, we’re seeing attacks like this happening at an alarming rate.”
Click to expand...

mood · Jul 25, 2020

Twilio breach spotlights struggle to keep corporate software kits out of the wrong hands
July 24, 2020
https://www.cyberscoop.com/twilio-hack-breach-s3-buckets-magecart/

The security team at Twilio, a cloud communications company that claimed over $1 billion in revenue last year, could breathe a sigh of relief on Sunday night.

[...] Twilio cleaned up the code hours later, and said there was no sign the attackers had accessed customer data.
But the damage could have been worse if the attack had been targeted, multiple security experts told CyberScoop.

With access to the code, which was sitting in an unsecured Amazon cloud storage service known as an S3 bucket, the attackers could have conducted phishing attacks or distributed malware through the platform, according to Yonathan Klijnsma, head of threat research at security company RiskIQ.

Dave Kennedy, founder of cybersecurity company TrustedSec, argued that, by replacing the software development kit, “the attackers had the ability to add any code that could then be executed client side.”
Click to expand...

The episode also highlighted the need, in an age of open-source collaboration, for organizations to separate the digital assets they want to be publicly accessible from those that should be sealed, said Kenn White, director of the Open Crypto Audit Project.
Click to expand...

Log in or Sign up

Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team