Twilio SDK found Abused for Malvertising Assault


This week’s Twilio cloud communications platform as a service company (CPaaS) reported a security incident that culminated in hackers uploading a modified version of the TaskRouter JS SDK to their web.

The event occurred on 19 July and was found several hours later, removing the updated file within an hour.

Designed to provide easy interaction with the Twilio TaskRouter, the SDK was host in an improperly secured Amazon Web Services S3 bucket, making it accessible to the attackers.

The hackers were able to inject code “that made the user’s browser load an alien URL affiliated with attack group Magecart,” the company says.

Just version 1.20 of the TaskRouter JS SDK has been affected and the incident has been rapidly remedied, and Twilio does not believe this was a targeted attack, but an opportunistic one in nature.

“At this time, we have no proof that a bad actor was accessing any customer data. In addition, at no time has a malicious party compromised Twilio’s internal systems, code, or data, “says Twilio.

The accident, the company explains, was the result of a misconfiguration implemented about five years ago, which resulted in improperly secured access for the route that stores the TaskRouter SDK, enabling anyone to read and write to it.

“One S3 bucket from Twilio is used to support public content from the domain. We are hosting copies of our client-side JavaScript SDKs for Programmable Chat, Programmable Video, Twilio Client, and Twilio TaskRouter on that domain but this problem only affected v1.20 of the TaskRouter SDK, “the company notes.

The attackers reached the particular path through the Tor network on July 19, and uploaded a modified version of the file taskrouter.min.js.

The assault on the improperly secured S3 bucket from Twilio was part of a Magecart-linked campaign that was first observed in May, culminating in hundreds of unique domains being injected with the malicious “jqueryapi1oad” redirecting cookie.

The redirector appeared initially in April 2019 but continues to be exploited, says RiskIQ, which examined the initiative. A total of 362 unique domains were found by the security firm which were affected.

In the updated file that the attackers submitted to the vulnerable S3 bucket, Twilio found the very same “jqueryapi1oad” cookie. The attack was intended to guide users to a malicious domain but also to collect sensitive information about their computers.

“We performed a detailed audit of our AWS S3 buckets, and found other buckets with unsuitable write settings. This was the original bucket backup, which had a copy of the access rules. The other buckets we found didn’t store output or customer data and we didn’t find any signs of abusing them. None of the other hosted SDKs in Twilio had been affected, “states the business as well.

Twilio urges those who downloaded a copy of TaskRouter JS SDK 1.20 between 19 July, 1:12 PM and 20 July, 10:30 PM PDT (UTC-07:00), to re-download and immediately replace it. The replacement was carried out automatically for applications that dynamically load the SDK from Twilio’s CDN.

“Public cloud protection infrastructure vulnerability is a crown jewel for any attacker given the extent of control over dependent organizations and mobile applications that are widely deployed. Storage configuration, SDK and API attacks are an increasingly exploited vector that can result in misdirection, malware intrusion, exploitation and data theft, “said Mark Bower, senior vice president at comforte AG, in an emailed statement.

“While malvertising was the initial endgame here, that can in itself lead to end user applications and secondary data theft being compromised. Given the increasing dependence and sophistication of cloud applications and platforms, with further adoption, human error will have increasing effect and data breach implications, signalling the need for new approaches to protect risky data from simple but easy to make mistakes at a more robust level, “added Bower.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.