Reply to post:

Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers

Warm Braw Silver badge

this is exactly why SRI is so important

I'm assuming that Twilio weren't serving their SDK directly from the unsecured S3 bucket and therefore that this was some sort of internal copy. If, by chance, it were the master copy and the change went undetected and was then made public via the official route, the malicious code would have been included in the hash.

SRI can detect changes made after code has been published; if the code has been changed by the back door before it's published, it doesn't really help. That's not to say you shouldn't use it for the cases it covers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021