A significant data exposure vulnerability affects almost 700 apps in enterprise environments, and millions of smart phone owners are at risk of having some of their text messages and calls intercepted by hackers.
Cyber-security firm Appthority warned on Thursday that the vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK.
By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings. As a result, the vulnerability is called Eavesdropper.
The findings highlight new threats posed by the increasing use of third-party services such as Twilio that provide mobile apps with functions like text messaging and audio calls. Developers can inadvertently introduce security vulnerabilities if they do not properly code or configure such services.
Although Appthority has not extensively analyzed the recordings out of respect for privacy, due to the nature of the apps, they believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data.
Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.
Appthority first discovered the Eavesdropper vulnerability in April, 2017 and notified Twilio in July about the exposed accounts. The research firm found the Eavesdropper vulnerability on over 685 enterprise apps (44% Android, 56% iOS) associated with 85 Twilio developer accounts. As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store. The affected Android apps had been downloaded up to 180 million times. Approximately 33% of the Eavesdropper apps found are business related. The exposure has been present since 2011.
Twilio spokesman Trak Lord said the company has no evidence that hackers used credentials coded into apps to access customer data but that it was working with developers to change the credentials on affected accounts.
The vulnerability only affects calls and texts made inside of apps that use messaging services from Twilio, including some business apps for recording phone calls, according to Appthority.
Appthority said it also warned Amazon.com that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps.