More than 5 million developers and 150,000 companies use Twilio, which offers tools to help businesses improve communications over voice, text, and video; its APIs help developers bring voice, video, and text into their applications. Twitter, Spotify, Hulu, Lyft, Yelp, Airbnb, Shopify, Uber, Netflix, and Foursquare are among Twilio's customers.
On July 19, Twilio was alerted to a change made to the TaskRouter JS SDK, a library it hosts to help customers interact with TaskRouter, which offers a routing engine to send tasks to agents or processes. The attacker-altered version of the library may have been available on Twilio's CDN or cached by user browsers for up to 24 hours after the code was replaced on its website, which was about an hour after Twilio learned of the incident.
Attackers were able to change the library's code due to a misconfiguration in the S3 bucket that hosted the library. They injected code that made the browser load an extra URL that had been linked to Magecart attacks. Twilio doesn't believe this was targeted at the company. Rather, it seems to be an opportunistic attack related to a campaign to exploit open S3 buckets for financial gain.
These files are served to users via the CloudFlare CDN content delivery network, but they are also directly available in the S3 bucket, where Twilio has configured a set of access policies for each path where files are stored. It had not properly configured the access policy for the path storing the TaskRouter SDK, meaning anybody could read or write to that path. While this path was not initially configured with public write access when it was added in 2015, Twilio says this changed shortly after.
"We implemented a change 5 months later while troubleshooting a problem with one of our build systems and the permissions on that path were not properly reset once the issue had been fixed," the company said.
The code attackers injected is a malicious traffic redirector, report RiskIQ researchers who call it "jqueryapi1oad" and say it has been used in other campaigns. In an analysis published in June, its team details attacks that leverage S3 buckets to insert code into websites. Jqueryapi1oad, named for the cookie the team connected with it, seems related to a long-running malvertising campaign. It was first identified in July 2019 and is still in use on 362 unique domains to date.
This campaign, dubbed Hookads by RiskIQ, has previously been linked to exploit kits and other malicious behavior, researchers report. Hookads redirects users to different decoy websites and ultimately sends them to a website where malware is installed using exploit kits.
"The Twilio compromise was another example of misconfigured Amazon S3 buckets used as an attack vector," says RiskIQ threat researcher Jordan Herman. "Because of how easy they are to find and the level of access it grants attackers, we're seeing attacks like this happening at an alarming rate."
After learning of the attack, Twilio locked down the bucket and uploaded a clean version of the library to the bucket path. It conducted an audit of AWS S3 buckets and found others with improper write settings, but say no other hosted SDKs were affected. There is no evidence indicating an attacker accessed customer data or any of its internal systems, code, or data. Twilio Flex customers were not affected.
Attackers Exploit a Common Problem
As indicated in this incident and RiskIQ's research, attackers are increasingly looking to exposed S3 buckets to bring malware into otherwise legitimate code. By infecting a single massive supplier, such as Twilio, they can indirectly affect many more businesses that rely on it.
"Modern web applications make extensive use of third-party scripts and open source libraries, such as the TaskRouter library published by Twilio," says Ameet Naik, security evangelist at PerimeterX. "Often introduced without proper vetting, this shadow code introduces known risks into the application and vastly expands the attack surface."
Compounding this risk is the all-too-common problem of misconfigured cloud storage buckets, which have proved to be a consistent problem for enterprise security over the past few years. In this year alone, hundreds of thousands of files have been accidentally exposed because S3 buckets weren't properly configured. Businesses would be wise to learn how to protect them and, like Twilio did in the aftermath of its incident, conduct an audit to see where they may be exposed.