Skip to main content

Twilio SDK hit by malicious code attack

(Image credit: Shutterstock / Askobol)

Twilio has reported a security incident that saw a hacker gain access to and modify one of the Javascript SDK libraries used by its customers. 

Serving around 170,000 customers, Twilio is a major provider of communication services. Its users rely on it to power their own comms technology, such as messaging through voice, video, and text. Twilio also runs a flexible cloud contact center, supports push authentication services, and facilitates web connections for IoT devices.

The company believes the malicious code may have remained available to clients for up to 24 hours. 

The affected Twilio TaskRouter JS SDK library was exploited on July 19, with the attacker exploiting a misconfiguration in a public AWS S3 cloud storage bucket. 

Fortunately for Twilio users, there is apparently no evidence that any bad actor has used the exploit to access the service’s internal systems or customer data.  

Twilio attack

A misconfiguration meant that Twilio’s S3 bucket could be modified by anybody on the web. Unintentionally modifiable S3 buckets are easy to find, and this has led to a spate of exploitative hacks. 

Twilio believes the hack was carried out by the Magecart hacking consortium and that, rather than target either the company or its users, the attack was intended to “serve malicious advertising to users on mobile devices”. 

Although the Twilio team says it acted fast, replacing the compromised SDK library within an hour of being alerted to the modification, the unwanted code may have been available via CDN and cached versions of the bucket for up to 24 hours on July 19.

In response to the intrusion, Twilio locked down the bucket and added a clean version of the library to its path. Its incident team then reviewed the access policies of all other Twilio S3 buckets and found two further buckets with misconfigured write settings. Fortunately, neither of these stored “production or customer data” and they did not show any signs of having been exploited.