Twilio SDK S3 bucket served malware
An exposed S3 bucket let attackers alter Twilio's hosted TaskRouter JS SDK v1.20. The injected code loaded malvertising infrastructure from customer pages.
Story
Twilio's TaskRouter JavaScript SDK v1.20 was served as a hosted browser dependency from media.twiliocdn.com. On 2020-07-19, attackers modified that hosted file through a misconfigured AWS S3 bucket.
The injected code set a cookie named jqueryapi1oad and requested gold.platinumus.top/track/awswrite. Twilio associated the behavior with a known malvertising campaign; the returned content led to further attacker-controlled infrastructure.
Twilio said the affected window ran from 20:12 UTC on 2020-07-19 to 05:30 UTC on 2020-07-20. Customers who pinned the script with Subresource Integrity were protected because the modified file no longer matched the expected hash.
The incident was narrow but instructive. The library source was not the only artifact that mattered; the hosted copy was production code. A public CDN object with weak write controls became part of every page that trusted it.
Affected Artifacts
- Observed
- 2020-07-19 to 2020-07-20
- Compromised Versions
- Fixed
- Not listed
- Evidence
- distribution: media.twiliocdn.com/taskrouter/js/v1.20/taskrouter.min.js, mirror: twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020, mirror: theregister.com/2020/07/21/twilio_javascript_sdk_code_injection, mirror: scworld.com/news/misconfigured-s3-exposes-twilio-users-to-magecart-attack , +4 more
Incident Context
- Motive
- Financial Gain
- Attribution
- Group
- Cause
- Cloud Storage Misconfiguration
- Transitive
- No
- Actor
- Cybercriminal group
External References
Source record: proprietary/twilio/meta.yaml