Twilio SDK hit by malicious code attack

News
By published

Hackers exploit S3 cloud storage misconfiguration to inject malicious code into public Twilio SDK

(Image credit: Shutterstock / Askobol)

Twilio has reported a security incident that saw a hacker gain access to and modify one of the Javascript SDK libraries used by its customers. 

Serving around 170,000 customers, Twilio is a major provider of communication services. Its users rely on it to power their own comms technology, such as messaging through voice, video, and text. Twilio also runs a flexible cloud contact center, supports push authentication services, and facilitates web connections for IoT devices.

The company believes the malicious code may have remained available to clients for up to 24 hours. 

The affected Twilio TaskRouter JS SDK library was exploited on July 19, with the attacker exploiting a misconfiguration in a public AWS S3 cloud storage bucket. 

Fortunately for Twilio users, there is apparently no evidence that any bad actor has used the exploit to access the service’s internal systems or customer data.  

Twilio attack

A misconfiguration meant that Twilio’s S3 bucket could be modified by anybody on the web. Unintentionally modifiable S3 buckets are easy to find, and this has led to a spate of exploitative hacks. 

Twilio believes the hack was carried out by the Magecart hacking consortium and that, rather than target either the company or its users, the attack was intended to “serve malicious advertising to users on mobile devices”. 

Although the Twilio team says it acted fast, replacing the compromised SDK library within an hour of being alerted to the modification, the unwanted code may have been available via CDN and cached versions of the bucket for up to 24 hours on July 19.

In response to the intrusion, Twilio locked down the bucket and added a clean version of the library to its path. Its incident team then reviewed the access policies of all other Twilio S3 buckets and found two further buckets with misconfigured write settings. Fortunately, neither of these stored “production or customer data” and they did not show any signs of having been exploited.

Jacob Parker
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Vertere DG-X turntable on a pink/white TechRadar background
Vertere's elite DG X turntable is modular, expensive, and hugely desirable
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
More about security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X

A worrying Apple Password App vulnerability reportedly left users exposed for months
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
MindpoolAI

What is MindpoolAI? Everything we know about the AI model platform
See more latest
Most Popular
Vertere DG-X turntable on a pink/white TechRadar background
Vertere's elite DG X turntable is modular, expensive, and hugely desirable
Mark and Devon sitting in a car in Severance season 2 episode 9
What time is Severance season 2 episode 10 going to be released on Apple TV+?
Oracle
Oracle is giving your business the chance to create its own AI agents
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
Comino Grando Server
Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
Elecom 9,000mAh sodium-ion battery
This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous