UC Network Management Community

UC Network Management Featured Article

July 29, 2020

Twilio Attack Highlights Vulnerabilities of Misconfigured AWS S3 Buckets


By Laura Stotler - UC Network Management Contributing Editor

An improperly configured AWS S3 bucket enabled hackers to briefly access Twilio's cloud storage system, the company announced. Twilio, which provides a cloud communications platform-as-a-service (CPaaS), believes the attack was part of a broader campaign to exploit open S3 buckets for financial gain.

The company said hackers accessed the misconfigured bucket on July 19 and modified the company's TaskRouter JavaScript SDK, which has been publicly readable and writable by Twilio's customers since 2015. An altered version of the library was made available to Twilio's customers, which include 150,000 companies and more than five million developers, for up to 24 hours.

Twilio counts AirBnB, Foursquare, Hulu, Lyft, Netflix, Shopify, Spotify, Twitter, Uber and Yelp among its customers. Developers use the TaskRouter SDK to interact with the routing engine, which sends tasks to agents or processes.

"We had not properly configured the access policy for one of our AWS S3 buckets," wrote the company in an incident report posted on its website. "Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks. This solely affected v1.20 of the TaskRouter JS SDK."

Twilio added that it has no evidence that any customer data was accessed, nor did a malicious party have access to its internal systems, code or data. Magecart is a growing cybercrime organization specializing in attacks designed to steal digital credit card data by skimming online payment forms. The group injects JavaScript code to steal payment data entered online by shoppers.

Twilio also conducted an audit of its other AWS S3 buckets and determined additional buckets were misconfigured and accessible. None of those buckets showed evidence of hacking or tampering and have been fixed.

Considering Magecart preys on misconfigured S3 buckets, the incident points to a weakness prevalent in the cloud community. Twilio has vowed to make systemic improvements to prevent further incidents, including restricting direct access to S3 buckets and delivering content only through its known CDNs. The company will also improve monitoring of S3 bucket policy changes to be able to quickly detect unsafe access policies. And Twilio will also determine the best way to provide integrity checking, ensuring customers can validate they are using proper versions of the company's SDKs.




Edited by Maurice Nagle



HOME