A coding error, dubbed Eavesdropper, in a third-party service which is used by up to 685 mobile apps for text messaging and audio calls, exposed sensitive data of up to 180 smartphone users to hackers.
Eavesdropper vulnerability in third party service Twilio allowed hackers to access a large metadata stored in Twilio accounts.
Even though there is no evidence of hackers actually exploiting the said vulnerability, security research firm Appthority said that the flaw potentially exposed text/SMS messages, call metadata, and voice recordings in as many as 685 apps used by over 180 million people to hackers.
'Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,' said the firm.
'We believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,' it added.
The said vulnerability emerged when Twilio's developers, in violation of documented guidelines for secure use of credentials and tokens, erroneously configured all apps that used Twilio's services to leak audio and message-based communications. The same could be accessed by malicious actors without performing malware injections or gaining root access to devices.
The Eavesdropper vulnerability was first discovered by the firm in April and was subsequently patched by Twilio. Initially, the firm found that as many as 685 apps were affected by the flaw, with 56% and 44% of them being iOS and Android apps.
'As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store. The affected Android apps had been downloaded up to 180 million times. Approximately 33% of the Eavesdropper apps found are business related,' the firm noted.
Appthority added that the said Eavesdropper vulnerability was also noticed in Amazon Cloud Storage data. The firm noted that as many as 40% of vulnerable apps also had Amazon credentials exposed that included credentials for 2,030 Amazon accounts in 20,098 apps.
'The data exposure is much larger than just the mobile app’s resources. S3 bucket names are globally unique, encouraging them to be descriptive, and usually limited to 100 per account, which often leads to data not being properly compartmentalized.
'Based on the names of the buckets, credential leakage often exposes information including the developers’ Amazon infrastructure and network resources, including company information such as customers and sales data through database backups,' the firm added.