Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers

API dev kit remained modified for hours, says source

22 Reg comments Got Tips?

Exclusive Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers.

The cloud communications giant detailed the intrusion to The Register after we were tipped off to the security blunder by a source who wished to remain anonymous. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "non-malicious" code that appeared designed primarily to track whether or not the modification worked.

"Twilio believes the security of our customers' accounts is of paramount importance," a spokesperson told us.

"We can confirm that the TaskRouter v1.20 SDK contained a non-malicious modification inserted by an external third party due to a misconfigured S3 bucket. We became aware of the incident and immediately worked to close the S3 misconfiguration and audit all S3 buckets.

"These measures were implemented within 12 hours to resolve the issue. We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code or data."

Phone with chatbot on screen

Twilio tweaks twicky twalkative bot toows to dewight devewopers: It's Autopilot for chat apps

READ MORE

The JavaScript SDK is Twilio's recommended method for linking your business events, such as incoming phone calls from customers and alerts from monitoring systems, to its TaskRouter platform, which routes calls and jobs to your staff. For instance, if someone who prefers to speak Spanish hits the "call me, I need help" button on your website, your web app uses the TaskRouter SDK to create a task, in this case "call this customer now," which is routed via a queue to a staffer who can speak Spanish and handle the call.

Our source warned us: "There's been a security incident at Twilio. Malicious JavaScript was added to the TaskRouter SDK for about 10 hours." When we pressed Twilio for more information on the nature of the "non-malicious" code it said was injected into the SDK, Twilio told us:

Specifically, the modification added code to the end of the TaskRouter.js v1.20 SDK that made an HTTP GET request to hxxps://gold.platinumus.top/track/awswrite?q=dmn and followed the URL returned in the HTML by that request.

Although Twilio downplayed the injected code, judging from the URL involved, the script appeared to attempt to import a payment-card skimmer or inject ads – RiskIQ has spotted the same URL in other S3 buckets targeted by miscreants.

Twilio told us it is planning to issue a report with more information on the incident in the coming days. In the meantime, if you recently downloaded and deployed a copy of the SDK, you might want to check you have a clean version. ®

Updated to add on July 22

Twilio has now published its incident report. We're told the modification was undetected for eight hours, and made possible by an S3 access policy that left the SDK readable and writable by anyone. The development kit was vandalized as part of an automated cyber-crime campaign that preys on JavaScript code in open S3 buckets to inject malicious ads into browsers. Here are the key parts:

On Sunday July 19th, we became aware of a modification that had been made to a Javascript library that we host for our customers to include in their applications. A modified version of the TaskRouter JS SDK was uploaded to our site at 1:12 PM PDT (UTC-07:00). We received an alert about the modified file at approximately 9:20 PM PDT and replaced it on our site around 10:30 PM PDT. The modified version may have been available on our CDN or cached by user browsers for up to 24 hours after we replaced it on our site.

Our investigation of the javascript that was added by the attacker leads us to believe that this attack was opportunistic because of the misconfiguration of the S3 bucket. We believe that the attack was designed to serve malicious advertising to users on mobile devices.

If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve.

Tell us something no one else knows: contact us securely.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020