Incident Of The Week: Slip-Up In Mobile App Code Exposes 180M Users



Dan Gunderman
11/10/2017

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a coding mistake which reportedly affected 685 apps and exposed at least 180 million phones. Users' text and call data was left vulnerable to hackers because of a third-party coding issue involving credentials.

The incident was uncovered by security firm Appthority on Thursday.

Developers accidentally coded credentials for accessing sensitive information across various apps. This means data for calling, texting and other services provided by Twilio, Inc. became susceptible to attack. Twilio powers messaging and calls (including recordings for business settings, e.g., Wrappup and RingDNA) in an application format.

Persistent black hats could access these embedded credentials by reviewing an app's code. With that go-ahead, they could then infiltrate user data, according to Appthority's Director of Security Research, Seth Hardy, and relayed via Reuters. Once passing into a Twilio developer's account, the hacker would have free rein over troves of information, likely to be profitable.

See related: Incident Of The Week: 'Silence' Trojan Records Financial Info

Apps open for this data manipulation include the AT&T Navigator app, pre-loaded into many Android phones, and more than a dozen GPS navigation apps from Telenav, Inc. The number of installs on these apps: 180 million on Android, and an unknown number for Apple's iOS-powered devices.

Reporting these substantive findings, Appthority did not create a line-item account of all the apps infected – so as not to tip off anxious hackers. Yet, Twilio, which deals with 40,000 businesses worldwide, works with big-name companies such as Uber Technologies and Netflix, Inc. These high earners typically have security reviews which catch coding errors – and there has been no word that they've been touched by the recent credentialing blunder.

Sadly, Hardy calls this issue a pretty common one within third-party services, as, mathematically, there is a higher chance of exposure with outside sources having greenlights into application systems.

See related: Incident Of The Week: Research Reports Hacked At Forrester

Furthering its investigation, Appthority warned Amazon.com, Inc. that it discovered credentials for 902 developer accounts for the company's cloud-service provider (in a scan of over 20,000 apps). The information can be used to access sensitive app data.

Vulnerabilities appear to arise as developers use identical credential information across accounts. To be clear, Hardy says that Twilio is not to blame for the exposure, as its website admonishes developers regarding left-behind credentials and the probability of hacks.

Trak Lord, a spokesman for Twilio, said there is no evidence that hackers tapped into coded credentials to glimpse user data. They are, however, working to change configurations on the aforementioned accounts.

Eighty-five flagged Twilio accounts reportedly equated to 685 "problem" apps, Appthority determined in its scan of 1,100 apps.

In reeling from the revelation, Twilio's shares dropped 7%.

Have tips on other buzzworthy incidents? Share them with Associate Editor Dan Gunderman by emailing dan.gunderman@cshub.com.