Cloud communications platform as a service (CPaaS) company Twilio revealed a security incident in which hackers uploaded a malicious version of the TaskRouter JS SDK, a library that allows customers to interact with Twilio TaskRouter, to the company’s site. The modified version of SDK “may have been available on our CDN or cached by user browsers for up to 24 hours,” Twilio said.
The company said it became aware of the incident on Sunday, July 19. As Twilio explained, because the affected SDK was hosted on a misconfigured S3 bucket the attackers were “able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks.” The issue affected only the TaskRouter JS SDK v1.20.
“We had not properly configured the access policy for one of our AWS S3 buckets. One of Twilio’s S3 buckets is used to serve public content from the domain twiliocdn.com. We host copies of our client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter on that domain, but only v1.20 of the TaskRouter SDK was impacted by this issue,” the company notes.
On July 19 attackers accessed the specific path storing the TaskRouter SDK and uploaded a modified version of the taskrouter.min.js file.
During the investigation the company discovered a cookie called jqueryapi1oad, which was previously spotted in a Magecart-linked campaign in May. The goal of the attack was to redirect users to a malicious domain, as well as to collect specific information about their devices.
“We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code, or data,” the company said.
“We do not believe this was an attack targeted at Twilio or any of our customers. Instead, this attack appears to be opportunistic and related to a large and well-known campaign to find and exploit open AWS S3 buckets on the Internet for financial gain.”
Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they hosted no production or customer data and haven’t been tampered with.
