Η Twilio revealed that TaskRouter JS SDK has been breached by Criminals after accessing one of the Amazon AWS S3 buckets which left the SDK exposed for about five years.
Twilio is a company CPaaS (cloud communications platform as a service) that supports communications for more than 40.000 businesses and helps them developers add voice, video, messaging and authentication capabilities to applications using the Twilio APIs.
The company's customer list includes: Twitter, Netflix, Uber, Shopify, Morgan Stanley, Airbnb, Wix, Spotify, Yelp, Hulu, Intuit, ING, eBay and many more.
According to Twilio, the attackers entered the malicious code only in version 1.20 of the TaskRouter JS SDK library.
"Due to the incorrect configuration of the S3 bucket, which hosted the library, a hacker was able to enter code that made him browser the user to upload a URL associated with Magecart attacks", Said Twilio.
The malicious SDK was available for at least 24 hours
As the company explained, the modified TaskRouter JS SDK library may have been available for up to 24 hours after its replacement.
Twilio says it has not found any evidence (so far) that the attacker gained access to customer information or data. The attackers they also could not access any of the interiors systems, Twilio code or data.
The company also checked the other AWS S3 buckets and found several more that were not properly insured. However, no other SDKs have been affected.
The company urged customers to replace the infected SDK.
"If you have downloaded a copy of version v1.20 of the TaskRouter JS SDK between July 19, 2020 1:12 p.m. and July 20, 10:30 pm, you will need to download the SDK again and replace the old version with the one we currently have ”.
The connection to Magecart attacks
Twilio has detected that malicious code entered into the TaskRouter JS SDK library loads a URL from gold.platinumus [.] top / track / awswrite and then redirects to other sites, blocking the use of the browser back button, trying to collect data related to mobile Appliances.
"This script also tries to collect data on the size of the user's touch screen and targets mobile devices," Twilio said.
"This behavior is consistent with one malvertising campaign related to Magecart attacks, which target mobile users. We believe the attack was designed to display malicious ads on users".