Show vulnerabilities with patch / with exploit
24 July 2020

Hackers inject exposed Twilio SDK with malicious code


Hackers inject exposed Twilio SDK with malicious code

Cloud communications platform as a service (CPaaS) company Twilio revealed a security incident in which hackers uploaded a malicious version of the TaskRouter JS SDK, a library that allows customers to interact with Twilio TaskRouter, to the company’s site. The modified version of SDK “may have been available on our CDN or cached by user browsers for up to 24 hours,” Twilio said.

The company said it became aware of the incident on Sunday, July 19. As Twilio explained, because the affected SDK was hosted on a misconfigured S3 bucket the attackers were “able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks.” The issue affected only the TaskRouter JS SDK v1.20.

“We had not properly configured the access policy for one of our AWS S3 buckets. One of Twilio’s S3 buckets is used to serve public content from the domain twiliocdn.com. We host copies of our client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter on that domain, but only v1.20 of the TaskRouter SDK was impacted by this issue,” the company notes.

On July 19 attackers accessed the specific path storing the TaskRouter SDK and uploaded a modified version of the taskrouter.min.js file.

During the investigation the company discovered a cookie called jqueryapi1oad, which was previously spotted in a Magecart-linked campaign in May. The goal of the attack was to redirect users to a malicious domain, as well as to collect specific information about their devices.

“We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code, or data,” the company said.

“We do not believe this was an attack targeted at Twilio or any of our customers. Instead, this attack appears to be opportunistic and related to a large and well-known campaign to find and exploit open AWS S3 buckets on the Internet for financial gain.”

Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they hosted no production or customer data and haven’t been tampered with.


Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020