Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:45 PM
Connect Directly

Twilio Security Incident Shows Danger of Misconfigured S3 Buckets

Twilio says attackers accessed its misconfigured cloud storage system and altered a copy of the JavaScriptSDK it shares with customers.

Twilio, the cloud communications platform-as-a-service (CPaaS) giant, has confirmed a security incident in which attackers accessed a misconfigured Amazon AWS S3 bucket and modified the TaskRouter JavaScript SDK. The SDK path had been publicly readable and writable since 2015.

More than 5 million developers and 150,000 companies use Twilio, which offers tools to help businesses improve communications over voice, text, and video; its APIs help developers bring voice, video, and text into their applications. Twitter, Spotify, Hulu, Lyft, Yelp, Airbnb, Shopify, Uber, Netflix, and Foursquare are among Twilio's customers.   

On July 19, Twilio was alerted to a change made to the TaskRouter JS SDK, a library it hosts to help customers interact with TaskRouter, which offers a routing engine to send tasks to agents or processes. The attacker-altered version of the library may have been available on Twilio's CDN or cached by user browsers for up to 24 hours after the code was replaced on its website, which was about an hour after Twilio learned of the incident.

Attackers were able to change the library's code due to a misconfiguration in the S3 bucket that hosted the library. They injected code that made the browser load an extra URL that had been linked to Magecart attacks. Twilio doesn't believe this was targeted at the company. Rather, it seems to be an opportunistic attack related to a campaign to exploit open S3 buckets for financial gain.

"We had not properly configured the access policy for one of our AWS S3 buckets," officials wrote in a disclosure. One of its S3 buckets is used to serve content from a domain twiliocdn[.]com; here, it hosts client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter. Only v1.20 of the TaskRouter SDK was affected by this issue, the company says.

These files are served to users via the CloudFlare CDN content delivery network, but they are also directly available in the S3 bucket, where Twilio has configured a set of access policies for each path where files are stored. It had not properly configured the access policy for the path storing the TaskRouter SDK, meaning anybody could read or write to that path. While this path was not initially configured with public write access when it was added in 2015, Twilio says this changed shortly after.

"We implemented a change 5 months later while troubleshooting a problem with one of our build systems and the permissions on that path were not properly reset once the issue had been fixed," the company said. 

The code attackers injected is a malicious traffic redirector, report RiskIQ researchers who call it "jqueryapi1oad" and say it has been used in other campaigns. In an analysis published in June, its team details attacks that leverage S3 buckets to insert code into websites. Jqueryapi1oad, named for the cookie the team connected with it, seems related to a long-running malvertising campaign. It was first identified in July 2019 and is still in use on 362 unique domains to date.

This campaign, dubbed Hookads by RiskIQ, has previously been linked to exploit kits and other malicious behavior, researchers report. Hookads redirects users to different decoy websites and ultimately sends them to a website where malware is installed using exploit kits.

"The Twilio compromise was another example of misconfigured Amazon S3 buckets used as an attack vector," says RiskIQ threat researcher Jordan Herman. "Because of how easy they are to find and the level of access it grants attackers, we're seeing attacks like this happening at an alarming rate."

After learning of the attack, Twilio locked down the bucket and uploaded a clean version of the library to the bucket path. It conducted an audit of AWS S3 buckets and found others with improper write settings, but say no other hosted SDKs were affected. There is no evidence indicating an attacker accessed customer data or any of its internal systems, code, or data. Twilio Flex customers were not affected.

Attackers Exploit a Common Problem
As indicated in this incident and RiskIQ's research, attackers are increasingly looking to exposed S3 buckets to bring malware into otherwise legitimate code. By infecting a single massive supplier, such as Twilio, they can indirectly affect many more businesses that rely on it. 

"Modern web applications make extensive use of third-party scripts and open source libraries, such as the TaskRouter library published by Twilio," says Ameet Naik, security evangelist at PerimeterX. "Often introduced without proper vetting, this shadow code introduces known risks into the application and vastly expands the attack surface."

Compounding this risk is the all-too-common problem of misconfigured cloud storage buckets, which have proved to be a consistent problem for enterprise security over the past few years. In this year alone, hundreds of thousands of files have been accidentally exposed because S3 buckets weren't properly configured. Businesses would be wise to learn how to protect them and, like Twilio did in the aftermath of its incident, conduct an audit to see where they may be exposed.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is ...