Appthority has discovered a significant data exposure vulnerability called Eavesdropper that impacts nearly 700 enterprise apps associated with 85 Twilio developer accounts.
According to the report, the Eavesdropper vulnerability is caused by hard-coding credentials in mobile apps that use the Twilio Rest API or SDK.
“The developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings,” Appthority further warned.
The breakdown in affected apps by mobile OS are 44% Android and 56% iOS. The affected Android apps had been downloaded up to 180 million times as well.
To compound matters, the Eavesdropper vulnerability threat also appears to affect other third party services, to include Amazon’s cloud storage solution S3 (Simple Storage Service). According to Appthority, nearly 40% of the apps they analyzed with the Eavesdropper vulnerability have Amazon credentials exposed, to include credentials for 2,030 Amazon accounts in 20,098 apps. The company validated 902 of them are still active.
To fix the issue, a developer will need to update their apps to stop using hardcoded credentials and also change the credentials that have already been compromised.