Cyber Incident Victim: Twilio
Date:
Jul 2020
Location:
United States of America
Summary
A cloud communications provider experienced a compromise in its TaskRouter JS SDK due to a misconfigured AWS S3 bucket left publicly accessible for several years. Attackers injected malicious code into version 1.20 of the SDK, linked to Magecart and Hookads malvertising campaigns targeting mobile users through redirects and data collection. The company remediated the issue within an hour, securing the bucket and replacing the compromised SDK, though the malicious version may have remained available for up to a day. No customer data or internal systems were breached. An audit revealed additional unsecured buckets, but no other hosted SDKs were affected. Flex customers were not impacted due to differing SDK implementation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 19, 2020, attackers compromised Twilio's TaskRouter JS SDK by exploiting a misconfigured Amazon AWS S3 bucket that had been publicly readable and writable since 2015. The attackers injected malicious code into version 1.20 of the SDK, which was used by customers to route tasks through Twilio's attribute-based routing engine. The malicious code loaded a URL (gold.platinumus[.]top/track/awswrite) associated with Magecart attacks, redirecting users through a series of sites while blocking browser back-button functionality. The script specifically targeted mobile devices, collecting touchscreen size data and triggering mobile-specific events to serve malicious advertising. This campaign was linked to Hookads, a malvertising operation tracked by RiskIQ as jqueryapi1oad, which utilized JavaScript redirectors to funnel victims through decoy sites resembling ads or games, ultimately deploying malware via exploit kits. Twilio's customer base included prominent organizations such as Twitter, Netflix, Uber, and Shopify, though the company confirmed no evidence of attackers accessing customer data, internal systems, or proprietary code during the incident.
Twilio's security and product teams remediated the compromise within one hour of detection, replacing the malicious SDK and securing the vulnerable S3 bucket. The altered SDK may have remained accessible via browsers or Twilio's CDN for up to 24 hours post-remediation. The company urged customers who downloaded version 1.20 between July 19, 2020, 1:12 PM PDT and July 20, 10:30 PM PDT to immediately replace it with the clean version. An audit of Twilio's AWS S3 buckets revealed additional misconfigured buckets, though no other hosted SDKs were impacted. Twilio clarified that Flex customers were unaffected, as Flex utilized a separate SDK bundled within a single JS file and not loaded from the public site. The investigation confirmed the compromised S3 path had public write access for nearly five years, highlighting a prolonged configuration vulnerability. The attackers' focus on mobile malvertising and connection to the widespread Hookads campaign, involving 671 unique domains, underscored the operational scope of the threat. Twilio maintained that the incident did not result in unauthorized data access or system breaches beyond the SDK manipulation.