https://www.theregister.com/2020/07/21/twilio_sdk_code_injection/
By Shaun Nichols in San Francisco
The Register
21 Jul 2020
Exclusive - Twilio today confirmed one or more miscreants sneaked into its
unsecured cloud storage systems and modified a copy of the JavaScript SDK used
by its customers.
The cloud communications giant detailed the intrusion to The Register after we
were tipped off to the security blunder by a source who wished to remain
anonymous. In short, someone was able to get into Twilio's Amazon Web Services
S3 bucket, which was left unprotected and world-writable, and alter the
TaskRouter v1.20 SDK to include "non-malicious" code that appeared designed
primarily to track whether or not the modification worked.
"Twilio believes the security of our customers' accounts is of paramount
importance," a spokesperson told us.
"We can confirm that the TaskRouter v1.20 SDK contained a non-malicious
modification inserted by an external third party due to a misconfigured S3
bucket. We became aware of the incident and immediately worked to close the S3
misconfiguration and audit all S3 buckets.
"These measures were implemented within 12 hours to resolve the issue. We have
no evidence at this time that any customer data was accessed by a bad actor.
Furthermore, at no time did a malicious party have access to Twilio’s internal
systems, code or data."
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
Follow InfoSec News on Twitter
https://twitter.com/infosecnews_
Follow InfoSec News on LinkedIn
https://www.linkedin.com/company/infosecnews/
