Twilio today disclosed that its TaskRouter JS SDK was compromised by attackers after they gained access to one of its misconfigured Amazon AWS S3 buckets which left the SDK’s path publicly readable and writable for roughly five years, since 2015.
Twilio is a cloud communications platform as a service (CPaaS) company that powers communications for over 40,000 businesses and helps developers add voice, video, messaging, and authentication capabilities to their apps using Twilio’s web service APIs.
The company’s customer list includes Twitter, Netflix, Uber, Shopify, Morgan Stanley, Airbnb, Wix, Spotify, Yelp, Hulu, Intuit, ING, eBay, and countless others.
According to an incident report published by Twilio today, the attackers injected the malicious code only within version 1.20 of the TaskRouter JS SDK library used by customers to route tasks to agents or processes via the Twilio TaskRouter attribute-based routing engine.
“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” Twilio said.
Malicious SDK served for at least 24 hours
The company says that its security and product teams replaced the malicious TaskRouter JS SDK library and secured the S3 bucket within an hour after initially being alerted of the attack.
As Twilio explained, the altered TaskRouter JS SDK library may have been available through user browsers or via the company’s CDN for up to another 24 hours after being replaced.
Twilio says that it has found no evidence so far of the attackers gaining access to any customer information or data. The attackers were also not able to access any of Twilio’s internal systems, code, or data.
After the initial remediation and an audit of its other AWS S3 buckets, the company also found other unsecured buckets after an audit but says that no other hosted SDKs have been impacted in the incident.
Also during the incident review, the company discovered the path that hosted the TaskRouter JS SDK was left configured with public write access for almost five years.
During our incident review, we identified that this path was not initially configured with public write access when it was added in 2015. We implemented a change 5 months later while troubleshooting a problem with one of our build systems and the permissions on that path were not properly reset once the issue had been fixed. – Twilio
Twilio said, that “while Twilio Flex uses TaskRouter to provide routing of interactions to agents, Flex customers were not impacted by this issue. Twilio Flex uses a different SDK for TaskRouter, does not load it from the public site, and bundles it as part of a single JS file for flex-ui.”
However, the company also urged customers to replace the impacted SDK immediately if they downloaded it while it was compromised.
If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve. – Twilio
The Magecart connection
jqueryapi1oad is connected to 671 unique domains, “including a domain in the top 1,500 of Alexa rankings,” as RiskIQ threat researcher Jordan Herman told BleepingComputer. “We’ve detected 173 newly affected domains since the start of the month.”
Herman also said that the Twilio compromise is yet another instance of unsecured Amazon S3 buckets used as an attack vector.
“Because of how easy they are to find and the level of access it grants attackers, we’re seeing attacks like this happening at an alarming rate.”
— Yonathan Klijnsma (@ydklijnsma) July 22, 2020
Twilio found that the malicious code injected in the TaskRouter JS SDK library loads an URL from gold.platinumus[.]top/track/awswrite and then redirects to other sites, blocking the use of the browser’s back button, attempting to collect data related to mobile devices all along the way.
“This script also specifically attempts to gather data about the size of the user’s touchscreen and uses events that are targeted at mobile devices,” Twilio said.
“This behavior, along with the indicators, are consistent with a malvertising campaign associated with the Magecart group of attacks targeted at users of mobile devices.
“We believe that the attack was designed to serve malicious advertising to users on mobile devices.”
The redirect campaign in the @twilio incident is from a prolific traffic distributor dealing in malvertising, ad fraud, tech scams and at one point skimming. We covered it here: https://t.co/1SxOj9lRTW
— Jérôme Segura (@jeromesegura) July 22, 2020
Update: Added additional jqueryapi1oad info from Jordan Herman.