Mobile app developers who code using the Twillo cloud-based platform and are forgetful about removing their hardcoded credentials have put businesses
Mobile app developers who code using the Twillo cloud-based platform and are forgetful about removing their hardcoded credentials have put businesses messaging data at risk for exposure.
The so-called Eavesdropper vulnerability, disclosed today by Appthority, has been around since 2011 and in apps downloaded likely more than 200 million times.
The researchers privately reported the bug in July; they found 685 enterprise apps (56 percent of them iOS apps) linked to 85 Twillo developer accounts. Many of the apps have been removed from the respective Apple and Google stores but as of August, 75 still remained on Google Play and 102 on the App Store.
“The affected Android apps had been downloaded up to 180 million times,” Appthority said. “Approximately 33 percent of the Eavesdropper apps found are business related. The exposure has been present since 2011. The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.”
Appthority said the hardcoded credentials afford an attacker “global access” to metadata in the developers’ Twillo accounts, including text messages, call metadata and recordings.
“Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,” Appthority said, adding it did not listen to any of the exposed recordings, but based on the types of apps, it’s not far-fetched to assume sensitive business transactions were discussed and negotatied on these calls.
“A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,” Appthority said.
A request for comment to Twillo was not returned in time for publication. Twillo’s documentation provides guidance on securing credentials. Appthority said an attacker would first need to find exposed enterprise apps built on Twillo; some market themselves as such. Using a YARA rule, for example, an attacker could then search for specific strings in order to identify Twillo IDs and either tokens or passwords authenticating the developer to the platform. Once having access to an account, Appthority said it would be trivial to exfiltrate call and messaging data.
“The attacker only needs to perform reconnaissance, exploitation, and exfiltration actions,” Appthority said. “There is no need to perform weaponization or the other steps as the files are undefended. Once the messaging and audio files have been exfiltrated, the attacker can run a simple script to convert audio files to text and search the text for keywords that would lead to proprietary or sensitive data.”
Earlier this year, Appthority disclosed the Hospital Gown vulnerability, which was linked to developers’ failure to secure backend servers communicating with mobile apps. Many of those servers are on platforms such as Elasticsearch, MongoDB and MySQL. Appthority said it found 21,000 exposed Elasticsearch servers and 43 terabytes of exposed data.