July 9

Shadows, zombies, and Twilio’s wide-open API


The Twilio breach is a bit more painful to me than the Dell breach because it happened through an unprotected Authy endpoint. Authy is a Two-Factor authentication app. That it had an unauthenticated API endpoint without any other protections is a massive problem, given that this is primarily a security product. Even bigger is – and from what I’ve read so far, this is true – the fact that this breach was not noticed until the threat actors released the data.

The data that has leaked so far includes phone numbers, accounts, and device details – no usernames or passwords. The threat actors have suggested validating these phone numbers against the Gemini and Nexo cryptocurrency breach databases. Further comparisons against other breach databases will probably yield reused passwords and used in combination with Smishing this will likely lead to some theft of crypto or Account Takeovers (ATOs).

API security

The number of breaches due to unsecured APIs is much too high. Security has not kept pace as we’ve transitioned to primarily API-based apps.  I’d estimate that API security is where web app security was in 2004. The OWASP list for API security is in its second iteration. Security teams are now starting to work on building API governance frameworks and building the frameworks to secure their APIs. However, if you expose that test API for something without any protection, you end up with another data breach.

Why does this happen? The number of motivated threat actors taking notes from each breach and having access to automation is much greater than in 2004. There are forums, telegram channels, and other online platforms where threat actors can share malware, exploits, and information on how to make money from these attacks. With automation and artificial intelligence in the mix, even low-skilled hackers can conduct advanced API attacks.

So, what could Twilio have done to prevent this breach?

  • API governance policies that ensured that all these endpoints were known and secured
  • Access control for all endpoints
  • Effective rate-limiting that can identify and slow down/block low and slow automated attacks
  • Improved alerting to notify them about abnormal activity

When it comes to API security, I love using the following image to show the problem –


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

0 of 350