Eavesdropper – Twilio SDK And Rest API Vulnerability
Earlier this year, the Appthority Mobile Threat Team (MTT) of security experts discovered
large scale data leakage with HospitalGown, a backend data loss vulnerability, where
developers write data directly from their apps to unauthenticated NoSQL systems
with public visibility and access. While reviewing our automated detection of apps with
hardcoded credentials, we noticed a handful of apps with hardcoded credentials that
were using the Twilio REST API.
In the process of examining these apps, they identified this as a significant vulnerability
in nearly a thousand apps and discovered another major data leak. The credentials
carelessly provided in these apps give full access to all records stored in the Twilio
backend for the developer’s account.
They called this vulnerability Eavesdropper because providing the Twilio account
ID and Twilio account token (password) hardcoded in the app creates a vulnerability
that exposes call record metadata, recorded call audio, as well as text messages. The
accessible records are not limited to those of the user of the vulnerable app, but include
all records associated with the developer’s Twilio account for that app and other apps
created by that developer. They believe this is likely the largest active enterprise data leak
from a mobile app vulnerability discovered to date.
This vulnerability shows how a simple developer mistake of exposing
their credentials in one app can affect larger families of apps, even compromising
other apps where best practices were followed, using side channel and historical
attacks. Even if these compromised apps are taken down from app stores, the data
is still at risk until the developers take actions that prevent all but the most recent
version of their vulnerable apps from being used – a major step which will likely cause
disruption for company and end users of the apps.
The scope of the data leak is staggering, revealing hundreds of millions of:
• Call records
• Minutes of calls
• Minutes of call audio recordings
• SMS and MMS text messages
In the interest of security Appthority have not released a list of the effected apps.
The Appthority Mobile Threat Team (MTT) monitors and investigates mobile risks that
pose a direct threat to mobile enterprises. Its goal is to provide research that educates
and informs enterprises looking to protect their people, data, devices, apps, and
networks from mobile risks.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.