Twilio, a cloud communications platform as a service (CPaaS) company, disclosed that attackers compromised its TaskRouter JS SDK after gaining access to one of its misconfigured Amazon AWS S3 buckets. This left the SDK’s path publicly readable and writable since 2015. Twilio’s customers include Twitter, Netflix, Uber, Shopify, Morgan Stanley, Airbnb, and others.

Compromise of common cloud security infrastructure is a jewel in the crown for any attacker given the scope of influence over dependent enterprises and broadly deployed mobile applications alike. Storage configuration, SDK and API attacks are an increasingly exploited vectors that can lead to misdirection, malware injection, manipulation and theft of data. While malvertising was the initial endgame here, that in itself can lead to compromise of end user platforms and secondary data theft. Given the increasing dependency and complexity of cloud applications and platforms, human error will have increasing impact and data breach ramifications with further adoption, signaling the need for new approaches to secure data at risk from simple, yet easy to make, mistakes on a more robust level.
Breaches like these are all too common in cloud environments. The complexity around configurations, identity, and access in the cloud are creating many opportunities for these bad actors. Companies need to find help from partners and applications that can identify these possible misconfigurations when they occur to lower their overall risk exposure.
Modern web applications make extensive use of third-party scripts and open source libraries, such as the TaskRouter library published by Twilio. Often introduced without proper vetting, this Shadow Code introduces unknown risks into the application and vastly expands the attack surface. Misconfigured S3 buckets remain a common way for hackers to introduce malware into otherwise legitimate scripts. By compromising a single widely used supplier such as Twilio, hackers can gain access to hundreds of websites.
Client-side attacks like these can lead to massive data breaches, resulting in compliance penalties running into the millions. For instance, British Airways was fined $240M in 2019 for GDPR violations resulting from a client-side Magecart attack on its online booking application.
Businesses need to invest in client-side application security to ensure full visibility and control over client-side scripts and avoid data breaches.