Twilio: Someone broke into our unsecured AWS S3 silo

栏目: IT技术 · 发布时间: 4年前

内容简介:ExclusiveTwilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK used by its customers.The cloud communications giant detailed the intrusion to"Twilio believes the security of

ExclusiveTwilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK used by its customers.

The cloud communications giant detailed the intrusion to The Register after we were tipped off to the security blunder by a source who wished to remain anonymous. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "non-malicious" code that appeared designed primarily to track whether or not the modification worked.

"Twilio believes the security of our customers' accounts is of paramount importance," a spokesperson told us.

"We can confirm that the TaskRouter v1.20 SDK contained a non-malicious modification inserted by an external third party due to a misconfigured S3 bucket. We became aware of the incident and immediately worked to close the S3 misconfiguration and audit all S3 buckets.

"These measures were implemented within 12 hours to resolve the issue. We have no evidence at this time that any customer data was accessed by a bad actor. Furthermore, at no time did a malicious party have access to Twilio’s internal systems, code or data."

Twilio: Someone broke into our unsecured AWS S3 silo

Twilio tweaks twicky twalkative bot toows to dewight devewopers: It's Autopilot for chat apps

READ MORE

The JavaScript SDK is Twilio's recommended method for linking your business events, such as incoming phone calls from customers and alerts from monitoring systems, to its TaskRouter platform , which routes calls and jobs to your staff. For instance, if someone who prefers to speak Spanish hits the "call me, I need help" button on your website, your web app uses the TaskRouter SDK to create a task, in this case "call this customer now," which is routed via a queue to a staffer who can speak Spanish and handle the call.

Our source warned us: "There's been a security incident at Twilio. Malicious JavaScript was added to the TaskRouter SDK for about 10 hours." When we pressed Twilio for more information on the nature of the "non-malicious" code it said was injected into the SDK, Twilio told us:

Specifically, the modification added code to the end of the TaskRouter.js v1.20 SDK that made an HTTP GET request to hxxps://gold.platinumus.top/track/awswrite?q=dmn and followed the URL returned in the HTML by that request.

Judging by that snippet, it looks as though this was a near-miss, and whoever accessed the system was simply probing around the codebase to see what they could change in the S3 bucket potentially ahead of any major or dangerous changes. And judging from the URL involved, it appears to be an attempt to install a payment-card skimmer – RiskIQ has spotted the same URL in other S3 buckets targeted by miscreants.

Given that TaskRouter.js serves as one of the link-ups between business applications and the TaskRouter service, this could have been a much worse attack. Twilio tells us it is planning to issue a report with more information on the incident in the coming days. In the meantime, if you recently downloaded and deployed a copy of the SDK, you might want to check you have a clean version. ®

Tell us something no one else knows:contact us securely.


很遗憾的说,推酷将在这个月底关闭。人生海海,几度秋凉,感谢那些有你的时光。


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

理想主义者

理想主义者

[美] 贾斯汀·彼得斯 / 程静、柳筠 / 重庆出版社 / 2018-5-15 / 49.80元

2013年1月11日,年仅26岁的黑客亚伦·斯沃茨自杀身亡,此事在美国引起轩然大波。这不仅是因为在互联网领域,斯沃茨是一个可以与比尔·盖茨、马克·扎克伯格、理查德·斯托曼等齐名的人,更是因为此事揭露了传统世界与互联网世界的规则冲突。 在互联网思维下,信息是明码标价的商品。各种利益方用技术竖起了一道道藩篱,将支付不起费用但渴望用知识改变命运的人隔绝在外。于是,一大批希望改变这种模式的“理想主义......一起来看看 《理想主义者》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具