Misconfigured S3 exposes Twilio users to Magecart attack


A misconfiguration in an S3 bucket that was hosting a Twilio Javascript library caused a bad threat actor to inject code that made Twilio users load an extraneous URL on their browsers that has been associated with the Magecart group of attacks.

In a company blog, Twilio said this solely affected v1.20 of the TaskRouter JS SDK. The TaskRouter JS SDK operates as a library that lets customers easily interact with Twilio TaskRouter, which offers an attribute-based routing engine that routes tasks to agents or processes.

According to the blog, the modified version of the TaskRouter JS SDK was uploaded to the Twilio site at 1:12 p.m. Pacific time Sunday, July 19. The company received an alert about the file at 9:20 p.m. that same day. Within 15 minutes of becoming aware of the attack, its product and security teams moved to contain and remediate the incident. Roughly one hour after the initial alert, Twilio replaced the bad version of the library and locked down the permissions on the S3 bucket.

“We have no evidence at this time that any customer data was accessed by a bad actor,” the blog said. “Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code or data.”

Twilio said it does not believe this was an attack targeted at Twilio or any of its customers. Rather, the attack appears opportunistic and related to a large and well-known campaign to find and exploit open AWS S3 buckets on the Internet for financial gain.

“The Twilio compromise was another example of misconfigured Amazon S3 buckets used as an attack vector,” said Jordan Herman, a threat researcher at RiskIQ. “Because of how easy they are to find and the level of access it grants attackers, we're seeing attacks like this happening at an alarming rate.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.