It has been revealed that security researchers have discovered that tens of developers have left API credentials in hundreds of applications built around the Twilio service. This in turn can allow a hacker global access to metadata in the developers Twilio accounts, including messages, call metadata and recordings.
Commenting on the news is Josh Mayfield, director at FireMon, who said:
The Eavesdropper vulnerability brings a new flavor to the mobile threats organisations face. By hardening code credentials, the attackers can exploit the details of a user across any Twilio enabled apps. This means that only one malicious app can begin to perform reconnaissance across the device.
Organisations can fall victim to unforeseen attack even while sweeping their credentials, because the attack takes note of changes happening within the infected apps, including: credential changes. This allows Eavesdropper a measure of persistence, like trying to swat an exceptionally agile house fly.
By extracting metadata from across communication apps, the attackers can learn about the user and their behaviours, connections, communication regularities, and more. This is a well-spring of data to take advantage as the user connects to enterprise systems. Using relatively basic algorithms, the attackers can correlate user tendencies and from there, exploit the systems for which the user has access.
With a dissolving perimeter and identity becoming all the more essential to secure our systems, organisations can be baffled when the identity itself is compromised. The best way to protect against this kind of exploit is to ensure configuration assurance throughout the network (on-prem, cloud, virtual, etc).