Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers

2020-07-21 23:10

Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers.

In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.

"We can confirm that the TaskRouter v1.20 SDK contained a non-malicious modification inserted by an external third party due to a misconfigured S3 bucket. We became aware of the incident and immediately worked to close the S3 misconfiguration and audit all S3 buckets."

The JavaScript SDK is Twilio's recommended method for linking your business events, such as incoming phone calls from customers and alerts from monitoring systems, to its TaskRouter platform, which routes calls and jobs to your staff.

The development kit was vandalized as part of an automated cyber-crime campaign that preys on JavaScript code in open S3 buckets to inject malicious ads into browsers.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/21/twilio_javascript_sdk_code_injection/

#AWS #javascript #S3 #SDK