A few weeks ago, on July 19, 2020, Twilio said it learned about a defect in an SDK. On July 23, 2020, the company made the public aware of the exposure via a blog post, sharing:
“A modified version of the TaskRouter JS SDK got uploaded to our site at 1:12 PM PDT (UTC-07:00). We received an alert about the modified file at approximately 9:20 PM PDT and replaced it on our site around 10:30 PM PDT. The modified version may have been available on our CDN or cached by user browsers for up to 24 hours after we replaced it on our site.”
The TaskRouter JS SDK is a library that lets customers interact with Twilio TaskRouter, a tool that provides an attribute-based routing engine which routes tasks to agents or processes. There was a misconfiguration in the S3 bucket that hosted the library, and someone inserted code that made the user’s browser load a URL associated with the Magecart attacks. “This only affected v1.20 of the TaskRouter JS SDK,” Twilio wrote in the incident report.
Within 15 minutes of becoming aware of the attack, Twilio said its product and security teams convened to fix the issue. An hour later, the CPaaS leader said it replaced the bad version of the library and locked down the permissions on the S3 bucket. Twilio said there’s no evidence that any customer data got accessed.
“Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code, or data”
Twilio acknowledges that it had not “Configured the access policy for one of our AWS S3 buckets.” Taking steps to ensure this does not happen again, the CPaaS provider said it would put in place three mitigation tactics to combat the potential of intrusion in the future.
- Restricting direct access to S3 buckets and delivering content only via known CDNs
- Improving the monitoring of its S3 bucket policy changes to ‘quickly’ detect unsafe access policies
- Determining the best way to provide ‘integrity checking’ so customers can confirm they’re using known-good versions of Twilio SDKs
If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), Twilio recommends you re-download the SDK.
This summer was quite busy for Twilio, and it launched several new offerings including the Voice Notifications App. The app is open-source and can be deployed to Heroku in minutes. Get the app on GitHub under the Apache 2.0 license. There’s more, healthcare companies in the US can now deploy workflows to the cloud, while meeting the requirements to keep patient data safe via HIPPA laws. Twilio users can now gain granular insights via APIs on the status of Regulatory Bundles during the phone number provisioning process.
A new workflow for creating regulatory bundles in Console is too available as of this summer. Users gain quick access to before uploaded supporting documents and end-users. Twilio even launched a visual dashboard for developers to watch the performance, troubleshoot issues, and improve the effectiveness of messaging applications.
Through one SIM, users can access to ‘the best cellular networks’ and control IoT devices. Public and private network connectivity’s now located closer to Twilio customer physical business. Bi-directional Media Streams, now in general availability, allow users to stream media from apps to Twilio as well as audio from Twilio to apps. And New Functions Workspace, now in Beta lets users manage and deploy many actions from a single unified workspace.
