Twilio TaskRouter JS SDK - isotope¹³

← Supply-Chain Attack Compendium

Incident Summary

Twilio SDK hosted on S3 delivered malicious code.

An improperly configured AWS S3 bucket allowed attackers to modify version 1.20 of Twilio's TaskRouter JavaScript SDK hosted for public use. For several hours, websites loading the SDK directly from Twilio's CDN received code modified with malicious script, likely part of a Magecart-related malvertising or skimming campaign.

Date: 2020-07-19 to 2020-07-20
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Malvertising
Cause: Cloud storage misconfiguration

What Was Affected

Package Twilio TaskRouter JS SDK

ComponentLibrary

Artifact typesource archive

Domain typeproject download host

Domain twiliocdn.com

Compromised Versions

TaskRouter JS SDK v1.20

Incident Context

Motive: Financial gain
Attribution: Cybercriminal group
Transitive: No
Observed Duration: 1 days

Evidence

Compromised Artifacts

media.twiliocdn.com/taskrouter/js/v1.20/taskrouter.min.js

Current Artifacts and Analysis

twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020
theregister.com/2020/07/21/twilio_javascript_sdk_code_injection
scworld.com/news/misconfigured-s3-exposes-twilio-users-to-magecart-attack
hxxps://gold[.]platinumus[.]top/track/awswrite?q=dmn # Malicious URL loaded by compromised SDK
SRI sha384:n+W3iUCPkW2u64HjqHqOaSFKB6k4BIYw4Fy8BuxDNkrWcCvd9fwnyZKwYjkxqphy # Legitimate taskrouter.min.js v1.20, base64-encoded SHA384 from Twilio advisory

External References

securityhq.com/blog/security-101-compromised-aws-s3-buckets

Source Data

Source record: proprietary/twilio/meta.yaml