Eavesdropper Bug Exposes Millions of Texts, Calls

The vulnerability was introduced when developers hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services.

A recently discovered vulnerability affecting almost 700 iOS and Android apps has exposed millions of text messages, calls, and voice recordings, researchers at enterprise mobile threat protection firm Appthority warned Thursday.

The vulnerability, which Appthority researchers have dubbed Eavesdropper, was introduced when developers "carelessly" hard coded their credentials in mobile apps using the Twilio Rest API or SDK for communications services. Those developers failed to follow Twilio's guidelines for secure use of credentials and tokens.

"By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings," Appthority's Michael Bentley wrote in a blog post(Opens in a new window). "The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages."

About 33 percent of apps with the Eavesdropper bug are business-related. They include "an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white label navigation apps for customers such as AT&T and US Cellular," Appthority wrote in a news release(Opens in a new window).

The vulnerability, which Appthority has described as "easy" to exploit, would allow an attacker to "access confidential knowledge about a company's business dealings and make moves to capitalize on them for extorting actions or personal gain," Bentley added.

Collectively, the affected apps have been downloaded around 180 million times. Moreover, more than 170 of the affected apps are currently available in official app stores today.

Appthority discovered the flaw in April 2017 and notified Twilio about it the following month. Twilio has since reached out to developers of the affected apps and is working with them to secure their accounts.

Meanwhile, Appthority says this problem is not limited to apps created with Twilio.

"Hard coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps," the firm said. "Developers who hard code credentials in one service have high propensity to make the same error with other services."