Twilio Security Incident Shows Danger of Misconfigured S3 Buckets

Twilio says attackers accessed its misconfigured cloud storage system and altered a copy of the JavaScriptSDK it shares with customers.

Twilio, the cloud communications platform-as-a-service (CPaaS) giant, has confirmed a security incident in which attackers accessed a misconfigured Amazon AWS S3 bucket and modified the TaskRouter JavaScript SDK. The SDK path had been publicly readable and writable since 2015.
More than 5 million developers and 150,000 companies use Twilio, which offers tools to help businesses improve communications over voice, text, and video; its APIs help developers bring voice, video, and text into their applications. Twitter, Spotify, Hulu, Lyft, Yelp, Airbnb, Shopify, Uber, Netflix, and Foursquare are among Twilios customers.
On July 19, Twilio was alerted to a change made to the TaskRouter JS SDK, a library it hosts to help customers interact with TaskRouter, which offers a routing engine to send tasks to agents or processes. The attacker-altered version of the library may have been available on Twilios CDN or cached by user browsers for up to 24 hours after the code was replaced on its website, which was about an hour after Twilio learned of the incident.
Attackers were able to change the librarys code due to a misconfiguration in the S3 bucket that hosted the library. They injected code that made the browser load an extra URL that had been linked to Magecart attacks. Twilio doesnt believe this was targeted at the company. Rather, it seems to be an opportunistic attack related to a campaign to exploit open S3 buckets for financial gain.
We had not properly configured the access policy for one of our AWS S3 buckets, officials wrote in a
disclosure
. One of its S3 buckets is used to serve content from a domain twiliocdn[.]com; here, it hosts client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter. Only v1.20 of the TaskRouter SDK was affected by this issue, the company says.
These files are served to users via the CloudFlare CDN content delivery network, but they are also directly available in the S3 bucket, where Twilio has configured a set of access policies for each path where files are stored. It had not properly configured the access policy for the path storing the TaskRouter SDK, meaning anybody could read or write to that path. While this path was not initially configured with public write access when it was added in 2015, Twilio says this changed shortly after.
We implemented a change 5 months later while troubleshooting a problem with one of our build systems and the permissions on that path were not properly reset once the issue had been fixed, the company said.
The code attackers injected is a malicious traffic redirector, report RiskIQ researchers who call it jqueryapi1oad and say it has been used in other campaigns. In
an analysis
published in June, its team details attacks that leverage S3 buckets to insert code into websites. Jqueryapi1oad, named for the cookie the team connected with it, seems related to a long-running malvertising campaign. It was first identified in July 2019 and is still in use on 362 unique domains to date.
This campaign, dubbed Hookads by RiskIQ, has previously been linked to exploit kits and other malicious behavior, researchers report. Hookads redirects users to different decoy websites and ultimately sends them to a website where malware is installed using exploit kits.
The Twilio compromise was another example of misconfigured Amazon S3 buckets used as an attack vector, says RiskIQ threat researcher Jordan Herman. Because of how easy they are to find and the level of access it grants attackers, were seeing attacks like this happening at an alarming rate.
After learning of the attack, Twilio locked down the bucket and uploaded a clean version of the library to the bucket path. It conducted an audit of AWS S3 buckets and found others with improper write settings, but say no other hosted SDKs were affected. There is no evidence indicating an attacker accessed customer data or any of its internal systems, code, or data. Twilio Flex customers were not affected.
Attackers Exploit a Common Problem
As indicated in this incident and RiskIQs research, attackers are increasingly looking to exposed S3 buckets to bring malware into otherwise legitimate code. By infecting a single massive supplier, such as Twilio, they can indirectly affect many more businesses that rely on it.
Modern web applications make extensive use of third-party scripts and open source libraries, such as the TaskRouter library published by Twilio, says Ameet Naik, security evangelist at PerimeterX. Often introduced without proper vetting, this shadow code introduces known risks into the application and vastly expands the attack surface.
Compounding this risk is the all-too-common problem of misconfigured cloud storage buckets, which have proved to be a consistent problem for enterprise security over the past few years. In this year alone,
hundreds
of
thousands
of files have been accidentally exposed because S3 buckets werent properly configured. Businesses would be wise
to learn
how to protect them and, like Twilio did in the aftermath of its incident, conduct an audit to see where they may be exposed.
Related Content:
Twitter Breach a Reminder of Need to Protect Corporate Social Media Use
8 Signs of a Smartphone Hack
Ripple20s Effects Will Impact IoT Cybersecurity for Years to Come
The Threat from the Internet—and What Your Organization Can Do About It

Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
and
to register
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Twilio Security Incident Shows Danger of Misconfigured S3 Buckets