Connect with us

Hi, what are you looking for?



Exposed Twilio SDK Abused for Malvertising Attack

Cloud communications platform as a service (CPaaS) company Twilio this week disclosed a security incident that resulted in hackers uploading a modified version of the TaskRouter JS SDK to its site.

The incident happened on July 19 and was discovered several hours later, with the modified file being replaced within an hour.

Cloud communications platform as a service (CPaaS) company Twilio this week disclosed a security incident that resulted in hackers uploading a modified version of the TaskRouter JS SDK to its site.

The incident happened on July 19 and was discovered several hours later, with the modified file being replaced within an hour.

Designed to provide easy interaction with the Twilio TaskRouter, the SDK was hosted in an Amazon Web Services S3 bucket that was improperly secured, thus becoming accessible to the attackers.

The hackers were able to inject code “that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company says.

Only version 1.20 of the TaskRouter JS SDK was affected and the incident was remediated fast, and Twilio does not believe that this was a targeted attack, but opportunistic in nature.

“We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code, or data,” Twilio says.

The incident, the company explains, was the result of a misconfiguration introduced roughly five years ago, and which resulted in access for the path storing the TaskRouter SDK being improperly secured, thus allowing anyone to read and write to it.

“One of Twilio’s S3 buckets is used to serve public content from the domain We host copies of our client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter on that domain, but only v1.20 of the TaskRouter SDK was impacted by this issue,” the company notes.

Advertisement. Scroll to continue reading.

On July 19, the attackers accessed that specific path via the Tor network and uploaded a modified version of the taskrouter.min.js file.

The attack on Twilio’s improperly secured S3 bucket was part of a Magecart-linked campaign that was initially observed in May, and which resulted in hundreds of unique domains being injected with the malicious redirecting cookie “jqueryapi1oad.”

The redirector initially appeared in April 2019, but continues to be abused, RiskIQ, which analyzed the campaign, reveals. The security firm identified a total of 362 unique domains that were affected.

The very same “jqueryapi1oad” cookie was identified by Twilio in the modified file the attackers uploaded to the insecure S3 bucket. The purpose of the attack was to redirect users to a malicious domain but also to collect specific information about their devices.

“We conducted a thorough audit of our AWS S3 buckets and found that there were other buckets with improper write settings. One was a backup of the original bucket and had a copy of the access policy. The other buckets we identified did not store production or customer data, and we found no evidence of tampering with them. None of Twilio’s other hosted SDKs had been impacted,” the company also notes.

Twilio advises those who downloaded a copy of TaskRouter JS SDK 1.20 between July 19, 1:12 PM and July 20, 10:30 PM PDT (UTC-07:00), to re-download and replace it immediately. The replacement has been automatically performed for applications that load the SDK dynamically from Twilio’s CDN.

“Compromise of common cloud security infrastructure is a jewel in the crown for any attacker given the scope of influence over dependent enterprises and broadly deployed mobile applications alike. Storage configuration, SDK and API attacks are an increasingly exploited vectors that can lead to misdirection, malware injection, manipulation and theft of data,” Mark Bower, senior vice president at comforte AG, said in an emailed comment.

“While malvertising was the initial endgame here, that in itself can lead to compromise of end user platforms and secondary data theft. Given the increasing dependency and complexity of cloud applications and platforms, human error will have increasing impact and data breach ramifications with further adoption, signaling the need for new approaches to secure data at risk from simple, yet easy to make, mistakes on a more robust level,” Bower added.

Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Related: Data From Joomla Resources Directory Exposed via Unprotected AWS Bucket

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...