back to article Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers

Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. The cloud communications giant detailed the intrusion to The Register after we were tipped off to the security blunder by a source who wished to remain anonymous …

  1. jake Silver badge

    Broke into its unsecured cloud storage systems?

    More like strolled in for a recce and decided to spraypaint the walls while they were there.

    Does "maintaining an attractive nuisance" mean anything anymore?

    1. HildyJ Silver badge
      Facepalm

      Re: Broke into its unsecured cloud storage systems?

      I understand that some companies create a honeypot to detect hackers, but somebody should have told Twilio that they weren't supposed to use their production codebase as bait.

  2. rmacd

    And this is exactly why SRI is so important & needs to be enforced across all browsers as standard... and flag any sites that don't do this.

    More fundamentally, the idea of uncontrolled/3rd party resources being pulled in on client-side without any checks at all is just ludicrous in this day and age. This is precisely what happened in BA's massive keylogging hack, and I'm sure loads of other high-profile examples are just a search away...

    1. joesomeone
      Boffin

      Cool! But maybe not for the BA break-in?

      Just looked into SRI and that seems like some cool ass stuff. I am a bit concerned that W3 consider SHA384 as the baseline hash... seems like a bit of overkill, especially when considering mobile devices and power consumption. Maybe SHA computing has been optimized in hardware? But then again, scripts don't tend to be that big I guess.

      But re-refreshing myself with the BA breakin, their core website was broken into and had their own HTML hacked to pull a script loaded from a non-related domain that kinda looked like it might belong to British Airways...

      So, I'm not sure how SRI would have helped here. This wasn't a third-party hosted script that was changed. This was their first-party website hacked to load a third-party script.

      The correct solution would have been to (carefully) monitor changes to critical files.. and I'm assuming that their payment pages should have fallen under PCI 11.5(a).

      1. Richard 12 Silver badge

        Re: Cool! But maybe not for the BA break-in?

        SHA is optimized rather aggressively, and many platforms do have specific hardware to do it.

        Even "real time" systems are doing extensive SHA hashing these days to verify that data and code hasn't become corrupted - though mostly guarding against accident rather than deliberate attack.

      2. Anonymous Coward
        Anonymous Coward

        Re: Cool! But maybe not for the BA break-in?

        >especially when considering mobile devices and power consumption. Maybe SHA computing has been optimized in hardware?

        Yes. Pretty much all relevant ARM devices support ARM NEON, which is a SIMD extension that includes acceleration of SHA384 and SHA512.

    2. Warm Braw Silver badge

      this is exactly why SRI is so important

      I'm assuming that Twilio weren't serving their SDK directly from the unsecured S3 bucket and therefore that this was some sort of internal copy. If, by chance, it were the master copy and the change went undetected and was then made public via the official route, the malicious code would have been included in the hash.

      SRI can detect changes made after code has been published; if the code has been changed by the back door before it's published, it doesn't really help. That's not to say you shouldn't use it for the cases it covers.

    3. Doctor Syntax Silver badge

      the idea of uncontrolled/3rd party resources being pulled in on client-side without any checks at all is just ludicrous normal in this day and age.

      FTFY

  3. logicalextreme Bronze badge

    Open S3 bucket you say?

    Well, let this first ever instance of such a thing happening be a warning to others.

    1. joesomeone
      Terminator

      Re: Open S3 bucket you say?

      Can we impale them on a spike as a warning to others?

    2. MyffyW Silver badge

      Re: Open S3 bucket you say?

      "There was this S3 bucket..." and so begins many a lamentable tale of loss and heartbreak. Really? In 2020? For fsck sake...

      1. logicalextreme Bronze badge

        Re: Open S3 bucket you say?

        …dear Liza, dear Liza…

        1. jake Silver badge

          Re: Open S3 bucket you say?

          That would be ELIZA, Shirley?

  4. revenant Silver badge

    Non-malicious?

    " ... judging from the URL involved, it appears to be an attempt to install a payment-card skimmer"

    Twilio are playing it down somewhat aren't they? There seems to more than a hint of malice in that behaviour.

    1. MyffyW Silver badge

      Re: Non-malicious?

      Indeed, I would politely suggest the very act of changing somebody else's files is a malicious act. The intentions can only be guessed at...

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-malicious?

        The definition being used here is in regards to the compromise of sensitive user data. By that definition this attack was benign since it didn't infiltrate anything, extract anything, or attempt to damage anything. It was a dry run.

        The logic used to determine malicious code isn't quite the same as malicious intent. Code is quantifiable, whereas intent is intangible.

        1. jake Silver badge

          Re: Non-malicious?

          From what I can see, it wasn't really an attack.

          It was, however, trespass and vandalism. Both of which are crimes in most jurisdictions. And both show obvious intent.

  5. bigphil9009

    Lament

    There was an unsecured S3 bucket,

    Whose developers had said "let's just fuck it"

    "We need this thing done,

    Then off we can run

    And our users? Well they just can suck it."

  6. fidodogbreath Silver badge

    If "Liar Liar" happened IRL

    "<CORPNAME> believes the security of our customers' accounts is of paramount importance," a spokesperson told us.

    "Haha, just kidding. We can't be bothered even put a simple password on that crap," the spokesperson continued. "Since we got caught and called out, we'll make a show of locking stuff down for while. But that's inconvenient as hell, so once you lot move on to the next breach we'll be back to business as usual."

  7. Maximum Delfango
    Facepalm

    "...Transform your customer communications with Twilio..."

    ...says their fizzy website.

    Well, they've certainly done that.

  8. Chris Clawson

    This is worrying

    I use Authy for two-factor authentication, and Twilio owns Authy now. If their security is this lax, how will I know if my accounts are protected?

    1. jake Silver badge

      Re: This is worrying

      "how will I know if my accounts are protected?"

      Frankly, you don't know. Neither do I. And in fact, we can't know.

      Kinda makes you feel all warm and fuzzy inside, no?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020