Security Experts:

Exposed Twilio SDK Abused for Malvertising Attack

Cloud communications platform as a service (CPaaS) company Twilio this week disclosed a security incident that resulted in hackers uploading a modified version of the TaskRouter JS SDK to its site.

The incident happened on July 19 and was discovered several hours later, with the modified file being replaced within an hour.

Designed to provide easy interaction with the Twilio TaskRouter, the SDK was hosted in an Amazon Web Services S3 bucket that was improperly secured, thus becoming accessible to the attackers.

The hackers were able to inject code “that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company says.

Only version 1.20 of the TaskRouter JS SDK was affected and the incident was remediated fast, and Twilio does not believe that this was a targeted attack, but opportunistic in nature.

“We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code, or data,” Twilio says.

The incident, the company explains, was the result of a misconfiguration introduced roughly five years ago, and which resulted in access for the path storing the TaskRouter SDK being improperly secured, thus allowing anyone to read and write to it.

“One of Twilio’s S3 buckets is used to serve public content from the domain twiliocdn.com. We host copies of our client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter on that domain, but only v1.20 of the TaskRouter SDK was impacted by this issue,” the company notes.

On July 19, the attackers accessed that specific path via the Tor network and uploaded a modified version of the taskrouter.min.js file.

The attack on Twilio’s improperly secured S3 bucket was part of a Magecart-linked campaign that was initially observed in May, and which resulted in hundreds of unique domains being injected with the malicious redirecting cookie “jqueryapi1oad.”

The redirector initially appeared in April 2019, but continues to be abused, RiskIQ, which analyzed the campaign, reveals. The security firm identified a total of 362 unique domains that were affected.

The very same “jqueryapi1oad” cookie was identified by Twilio in the modified file the attackers uploaded to the insecure S3 bucket. The purpose of the attack was to redirect users to a malicious domain but also to collect specific information about their devices.

“We conducted a thorough audit of our AWS S3 buckets and found that there were other buckets with improper write settings. One was a backup of the original bucket and had a copy of the access policy. The other buckets we identified did not store production or customer data, and we found no evidence of tampering with them. None of Twilio’s other hosted SDKs had been impacted,” the company also notes.

Twilio advises those who downloaded a copy of TaskRouter JS SDK 1.20 between July 19, 1:12 PM and July 20, 10:30 PM PDT (UTC-07:00), to re-download and replace it immediately. The replacement has been automatically performed for applications that load the SDK dynamically from Twilio’s CDN.

“Compromise of common cloud security infrastructure is a jewel in the crown for any attacker given the scope of influence over dependent enterprises and broadly deployed mobile applications alike. Storage configuration, SDK and API attacks are an increasingly exploited vectors that can lead to misdirection, malware injection, manipulation and theft of data,” Mark Bower, senior vice president at comforte AG, said in an emailed comment.

“While malvertising was the initial endgame here, that in itself can lead to compromise of end user platforms and secondary data theft. Given the increasing dependency and complexity of cloud applications and platforms, human error will have increasing impact and data breach ramifications with further adoption, signaling the need for new approaches to secure data at risk from simple, yet easy to make, mistakes on a more robust level,” Bower added.

Related: Magecart Attacks on Claire's and Other U.S. Stores Linked to North Korea

Related: Data From Joomla Resources Directory Exposed via Unprotected AWS Bucket

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

view counter