The cloud communications giant detailed the intrusion to The Register after we were tipped off to the security blunder by a source who wished to remain anonymous. In short, someone was able to get into Twilio’s Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include “non-malicious” code that appeared designed primarily to track whether or not the modification worked.
“Twilio believes the security of our customers’ accounts is of paramount importance,” a spokesperson told us.
“We can confirm that the TaskRouter v1.20 SDK contained a non-malicious modification inserted by an external third party due to a misconfigured S3 bucket. We became aware of the incident and immediately worked to close the S3 misconfiguration and audit all S3 buckets.
“These measures were implemented within 12 hours to resolve the issue. We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code or data.”
Twilio tweaks twicky twalkative bot toows to dewight devewopers: It’s Autopilot for chat apps
Although Twilio downplayed the injected code, judging from the URL involved, the script appeared to attempt to import a payment-card skimmer or inject ads – RiskIQ has spotted the same URL in other S3 buckets targeted by miscreants.
Twilio told us it is planning to issue a report with more information on the incident in the coming days. In the meantime, if you recently downloaded and deployed a copy of the SDK, you might want to check you have a clean version. ®
Updated to add on July 22
Twilio has now published its incident report. We’re told the modification was undetected for eight hours, and made possible by an S3 access policy that left the SDK readable and writable by anyone. The code was vandalized as part of an automated cyber-crime campaign that preys on open S3 buckets to inject malicious ads into browsers. Here are the key parts:
Tell us something no one else knows: contact us securely.
Follow me for more information.