Twilio Security Incident Shows Danger of Misconfigured S3 Buckets

[upnorth]

Content source

https://www.darkreading.com/cloud/twilio-security-incident-shows-danger-of-misconfigured-s3-buckets/d/d-id/1338447

Twilio, the cloud communications platform-as-a-service (CPaaS) giant, has confirmed a security incident in which attackers accessed a misconfigured Amazon AWS S3 bucket and modified the TaskRouter JavaScript SDK. The SDK path had been publicly readable and writable since 2015.

More than 5 million developers and 150,000 companies use Twilio, which offers tools to help businesses improve communications over voice, text, and video; its APIs help developers bring voice, video, and text into their applications. Twitter, Spotify, Hulu, Lyft, Yelp, Airbnb, Shopify, Uber, Netflix, and Foursquare are among Twilio's customers. On July 19, Twilio was alerted to a change made to the TaskRouter JS SDK, a library it hosts to help customers interact with TaskRouter, which offers a routing engine to send tasks to agents or processes. The attacker-altered version of the library may have been available on Twilio's CDN or cached by user browsers for up to 24 hours after the code was replaced on its website, which was about an hour after Twilio learned of the incident.

Attackers were able to change the library's code due to a misconfiguration in the S3 bucket that hosted the library. They injected code that made the browser load an extra URL that had been linked to Magecart attacks.

Twilio Security Incident Shows Danger of Misconfigured S3 Buckets

Twilio says attackers accessed its misconfigured cloud storage system and altered a copy of the JavaScriptSDK it shares with customers.

www.darkreading.com

 

[Ink]

Yesn't.

Unmatched security, compliance, and audit capabilities
Store your data in Amazon S3 and secure it from unauthorized access with encryption features and access management tools. S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level with S3 Block Public Access.
[..] AWS also supports numerous auditing capabilities to monitor access requests to your S3 resources.
Learn more.

Check the Similar threads for previous incidents. There's a familiar trend, but I cannot quite figure it out.

 

[Stopspying]

"An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets.

An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets. — Truffle Security Co.

Background

S3 buckets are a common place to store files in AWS. These buckets have a feature that allows you to make your files readable by anyone on the internet without authentication. If the content is meant for public consumption, like storing HTML, CSS, and JS assets for a website, this feature can be really useful, but it’s a double edged sword. Frequently, these files contain sensitive information, which has caused several high profile security incidents, including:
A recent incident with Twilio
The Dow Jones data breach
A Verizon Wireless data breach
Typically the data exposed is the end of the reported story, but we’ve found it’s often not the end of the security story.

Since we recently added S3 support to TruffleHog, we thought scanning the set of publicly exposed buckets for credentials would be a great way to get ahead of potential security incidents, and we ended up finding thousands of distinct secrets spanning hundreds of customers..."

 

[jogs]

Some services become popular because they are easy to use but compromise on security. Most of big IT companies have lots of customers because they have provided their customers easy to use services with giving any priority to security. Also, users are more concerned about the easiness of a service rather than the safety of the data of their customers.

 

[Stopspying]

Some services become popular because they are easy to use but compromise on security. Most of big IT companies have lots of customers because they have provided their customers easy to use services with giving any priority to security. Also, users are more concerned about the easiness of a service rather than the safety of the data of their customers.

Zoom being a good example of this IMO. It has been around for some considerable time without getting very popular until this year. Then when it took off its security flaws came under wider scrutiny and the vulnerabilities are repeatedly being exposed on security blogs etc. Yet the mass consumer market and many businesses continue to use it.