Twilio: Someone broke into our unsecured AWS S3 silo, added 'non-malicious' code to our JavaScript SDK

[InfoSec News <alerts () infosecnews org>]

https://www.theregister.com/2020/07/21/twilio_sdk_code_injection/

By Shaun Nichols in San Francisco
The Register
21 Jul 2020

Exclusive - Twilio today confirmed one or more miscreants sneaked into its 
unsecured cloud storage systems and modified a copy of the JavaScript SDK used 
by its customers.

The cloud communications giant detailed the intrusion to The Register after we 
were tipped off to the security blunder by a source who wished to remain 
anonymous. In short, someone was able to get into Twilio's Amazon Web Services 
S3 bucket, which was left unprotected and world-writable, and alter the 
TaskRouter v1.20 SDK to include "non-malicious" code that appeared designed 
primarily to track whether or not the modification worked.

"Twilio believes the security of our customers' accounts is of paramount 
importance," a spokesperson told us.

"We can confirm that the TaskRouter v1.20 SDK contained a non-malicious 
modification inserted by an external third party due to a misconfigured S3 
bucket. We became aware of the incident and immediately worked to close the S3 
misconfiguration and audit all S3 buckets.

"These measures were implemented within 12 hours to resolve the issue. We have 
no evidence at this time that any customer data was accessed by a bad actor. 
Furthermore, at no time did a malicious party have access to Twilio’s internal 
systems, code or data."

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
Follow InfoSec News on Twitter
https://twitter.com/infosecnews_
Follow InfoSec News on LinkedIn
https://www.linkedin.com/company/infosecnews/