Advertisement

Twilio breach spotlights struggle to keep corporate software kits out of the wrong hands

The damage could have been worse if the attack had been targeted.
Twilio hack
someone had manipulated the code in a software product that Twilio customers use to route calls and other communications. (Flickr/ <a href="https://flic.kr/p/2hK91YP">Web Summit</a>)

The security team at Twilio, a cloud communications company that claimed over $1 billion in revenue last year, could breathe a sigh of relief on Sunday night.

Earlier in the day, someone had manipulated the code in a software product that Twilio customers use to route calls and other communications. The breach resembled a Magecart-style attack that skims websites for users’ financial data. Twilio cleaned up the code hours later, and said there was no sign the attackers had accessed customer data.

But the damage could have been worse if the attack had been targeted, multiple security experts told CyberScoop. With access to the code, which was sitting in an unsecured Amazon cloud storage service known as an S3 bucket, the attackers could have conducted phishing attacks or distributed malware through the platform, according to Yonathan Klijnsma, head of threat research at security company RiskIQ.

Dave Kennedy, founder of cybersecurity company TrustedSec, argued that, by replacing the software development kit, “the attackers had the ability to add any code that could then be executed client side.”

Advertisement

None of that happened, Twilio said, but the incident was a reminder of the risks of leaving corporate code online and unsecured. Magecart-style attacks have been a scourge for corporations around the world, with attackers inserting credit card skimmers on hundreds of websites last year. After one breach that hit British Airways’ website, Britain’s data protection watchdog said it would fine the airline more than $200 million.

Cris Paden, a Twilio spokesperson, declined to comment on “hypotheticals and speculation” on what the attackers could have done with access to Twilio’s software development kit. Paden also declined to comment on how many customers were affected by the incident.

Twilio released a detailed blog post Wednesday on the breach, which was first reported by The Register, that described it as an opportunistic attack meant to serve malicious advertising to mobile users. The incident only affected one version of the software run by the company’s TaskRouter product. Twilio said it had done a thorough investigation and would “improve our monitoring of S3 bucket policy changes to quickly detect unsafe access policies.”

The episode also highlighted the need, in an age of open-source collaboration, for organizations to separate the digital assets they want to be publicly accessible from those that should be sealed, said Kenn White, director of the Open Crypto Audit Project. In some cases you want outside users to be able to read and write files, in other cases that access needs to be denied, added White, who credited Twilio for its transparent response to the breach.

“These things are designed by people, and people maintain them,” White said of S3 configurations. “Humans make mistakes, so you have to have processes in places to catch them.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts