"Eavesdropper" Vulnerability Exposes Millions of Private Conversations because of hardcoded secrets
Security researchers have discovered that tens of developers have left API credentials in hundreds of applications built around the Twilio service. Attackers can extract these credentials from the source code of vulnerable apps and gain access to conversations and SMS messages sent by that app — and its users — via Twilio, a cloud platform that allows third-party apps to make and receive phone calls and SMS messages via programmatic APIs to various telephony providers.
"We found the Eavesdropper vulnerability on over 685 enterprise apps (44% Android, 56% iOS) associated with 85 Twilio developer accounts," the Appthority team said in a report published today. Appthority says that around a third of all affected apps are enterprise related, potentially granting attackers access to highly precious financial and business phone calls and SMS alerts.
The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database. The same Appthority report on the Eavesdropper vulnerability also points out that researchers found similar credentials for Amazon S3 servers. A Fallible study published earlier this year found that 2,500 of 16,000 Android apps had some type of credentials inside them, usually for services like Twitter, Dropbox, Instagram, Slack, Flickr, or Amazon Web Services (AWS).
If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history. To entirely remove unwanted files from a repository's history you can use either the git filter-branch command or the BFG Repo-Cleaner. However, be warned: Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.