Incident: Coding Error in Mobile Apps Exposes Millions to Hacking

Published Date: 2017-11-09

Postmortem Analysis
Timeline 1. The software failure incident happened in November 2017. [65591, 65054]
System 1. Developers mistakenly coded credentials for accessing services provided by Twilio Inc in at least 685 mobile apps, leading to a software failure incident [65591, 65054]. 2. Twilio's security measures failed to prevent the exposure of credentials in the apps, contributing to the vulnerability [65591, 65054]. 3. Lack of proper coding and configuration of third-party services like Twilio by developers led to the introduction of security vulnerabilities [65591, 65054].
Responsible Organization 1. Developers were responsible for causing the software failure incident by mistakenly coding credentials for accessing services provided by Twilio Inc in at least 685 mobile apps [65591, 65054].
Impacted Organization 1. Smartphone users - Millions of smartphone users were at risk of having their calls and text messages intercepted by hackers due to the coding error in mobile apps [65591, 65054]. 2. Twilio Inc - The software failure incident involved a coding error in apps that accessed services provided by Twilio Inc, potentially exposing Twilio credentials to hackers [65591, 65054]. 3. App developers - Developers who mistakenly coded credentials for accessing services provided by Twilio Inc were impacted by the software failure incident [65591, 65054].
Software Causes 1. A simple coding error in at least 685 mobile apps led to the exposure of credentials for accessing services provided by Twilio Inc, allowing hackers to intercept calls and text messages [65591, 65054]. 2. Developers mistakenly coded credentials for accessing text messaging, calling, and other services provided by Twilio Inc, making millions of smartphone users vulnerable to interception of their communications [65591, 65054]. 3. The vulnerability was caused by developers leaving credentials in the apps, rather than an issue with Twilio itself [65591, 65054]. 4. The use of third-party services like Twilio without proper coding or configuration by developers introduced security vulnerabilities in the affected apps [65591, 65054].
Non-software Causes 1. Lack of proper coding practices by developers leading to the exposure of credentials in apps [65591, 65054] 2. Reuse of the same account credentials across multiple apps by developers [65591, 65054]
Impacts 1. Millions of smartphone users were at risk of having their calls and text messages intercepted by hackers due to a simple coding error in at least 685 apps, potentially exposing sensitive data sent over those services [65591, 65054]. 2. Shares of Twilio slid nearly 7 percent after the Appthority report was released, indicating a negative impact on the company's stock value [65591]. 3. The vulnerability affected up to 180 million smart phone owners, highlighting the widespread nature of the issue and the potential scale of the security threat [65054]. 4. The incident raised concerns about the security risks associated with the increasing use of third-party services like Twilio, emphasizing the need for developers to properly code and configure such services to prevent security vulnerabilities [65591, 65054]. 5. The exposure of credentials for developer accounts with cloud-service provider Amazon Web Services also posed a risk of unauthorized access to app user data stored on Amazon, further amplifying the potential impact of the software failure incident [65054].
Preventions 1. Proper code review and testing procedures during app development could have prevented the software failure incident by catching the coding error that exposed Twilio credentials in the apps [65591, 65054]. 2. Implementing secure coding practices and following security guidelines provided by third-party service providers like Twilio could have helped prevent the exposure of sensitive credentials in the apps [65591, 65054]. 3. Utilizing unique credentials for each app or service integration instead of reusing the same credentials across multiple apps could have mitigated the risk of widespread security vulnerabilities [65591, 65054]. 4. Regular security audits and monitoring of app codebases for potential vulnerabilities could have proactively identified and addressed the coding error before it could be exploited by hackers [65591, 65054].
Fixes 1. Developers need to review and correct the coding errors in the affected apps that exposed Twilio credentials, ensuring that sensitive information is not easily accessible to hackers [65591, 65054]. 2. Implement proper security measures and best practices when integrating third-party services like Twilio to prevent inadvertent security vulnerabilities [65591, 65054]. 3. Developers should avoid hardcoding credentials in the code of their apps and instead use secure methods for storing and accessing sensitive information [65591, 65054]. 4. Regular security audits and reviews should be conducted on apps, especially those using third-party services, to identify and rectify any potential security risks [65591, 65054]. 5. Companies like Twilio should work closely with developers to change credentials on affected accounts and enhance security protocols to prevent unauthorized access to customer data [65591, 65054].
References 1. Appthority's director of security research, Seth Hardy [Article 65591, Article 65054] 2. Twilio Inc [Article 65591, Article 65054] 3. AT&T Navigator app [Article 65591] 4. Telenav Inc [Article 65591] 5. Amazon Web Services [Article 65054]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The article mentions that Appthority found Twilio credentials exposed in a now-defunct version of the AT&T Navigator mapping and GPS app, which was a re-branded version of an app originally built by Telenav. Newer versions of the AT&T app appeared to be safe, but data sent over them could still be at risk if the developer of a related app is still using the same Twilio account. The same Twilio credentials were found coded in more than a dozen other Telenav apps [65591]. (b) The software failure incident having happened again at multiple_organization: - The article highlights that Appthority also warned Amazon.com Inc that it had found credentials for at least 902 developer accounts with cloud-service provider Amazon Web Services in a scan of 20,098 different apps. These credentials could be used to access app user data stored on Amazon [65054].
Phase (Design/Operation) design (a) The software failure incident in the articles was primarily due to a design issue. Developers mistakenly coded credentials for accessing services provided by Twilio in at least 685 apps, leading to a vulnerability that could allow hackers to intercept calls and text messages [65591, 65054]. This coding error introduced a security vulnerability in the system during the development phase, highlighting the importance of proper coding and configuration of third-party services like Twilio to prevent such incidents. (b) The operation or misuse of the system does not seem to be a significant contributing factor to the software failure incident reported in the articles. The focus is more on the design flaw introduced by developers in coding credentials for accessing services provided by Twilio, which could be exploited by hackers [65591, 65054].
Boundary (Internal/External) within_system (a) The software failure incident related to the exposure of Twilio credentials in multiple apps leading to potential interception of calls and text messages was primarily within the system. The failure was caused by a simple coding error made by developers in at least 685 apps, allowing hackers to access credentials for Twilio services [65591, 65054]. The vulnerability stemmed from developers mistakenly coding credentials within the apps, which could be accessed by reviewing the code, rather than being a direct fault of Twilio itself. Twilio's website warned developers about the risks of leaving credentials in apps, indicating that the issue originated internally within the development process.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the articles was primarily due to non-human_actions. The incident was caused by a simple coding error in at least 685 apps that led to the exposure of credentials for accessing services provided by Twilio Inc. This error allowed hackers to potentially intercept calls and text messages of millions of smartphone users [65591, 65054]. (b) However, human_actions also played a role in the incident as the mistakes in coding the credentials were made by developers who inadvertently left the credentials in the apps, exposing their accounts to hackers. The responsibility for the error was attributed to the developers rather than Twilio itself, as Twilio warns developers against leaving credentials in apps [65591, 65054].
Dimension (Hardware/Software) software (a) The software failure incident reported in the articles is primarily due to contributing factors that originate in software. The incident involved a simple coding error made by developers in at least 685 mobile apps, which put millions of smartphone users at risk of having their calls and text messages intercepted by hackers [65591, 65054]. The error involved developers mistakenly coding credentials for accessing services provided by Twilio Inc, allowing hackers to potentially access sensitive data sent over those services. The vulnerability was caused by developers leaving credentials in the apps, rather than being a hardware-related issue. (b) The software failure incident is not attributed to hardware-related factors but rather to software-related factors. The coding error in the apps, which led to the security vulnerability, was a result of developers mistakenly coding credentials for accessing services provided by Twilio Inc [65591, 65054]. The incident underscores the risks associated with improper coding or configuration of third-party services like Twilio, highlighting the importance of software security practices in preventing such vulnerabilities.
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident reported in the articles is non-malicious. The incident was caused by a simple coding error made by developers in at least 685 mobile apps, leading to the exposure of credentials for accessing services provided by Twilio Inc. This error put up to 180 million smartphone users at risk of having their calls and text messages intercepted by hackers [65591, 65054]. The mistakes were attributed to developers rather than Twilio, and the company was working with developers to change the credentials on affected accounts to mitigate the vulnerability [65591, 65054].
Intent (Poor/Accidental Decisions) accidental_decisions (a) The software failure incident reported in the articles was primarily due to accidental_decisions made by developers. The incident was caused by a simple coding error made by developers in at least 685 apps, which put millions of smartphone users at risk of having their calls and text messages intercepted by hackers [65591, 65054]. The developers mistakenly coded credentials for accessing services provided by Twilio Inc, allowing hackers to potentially access sensitive data sent over those services. The mistakes were attributed to developers not properly securing the credentials in the apps, rather than any fault on Twilio's part. Twilio's website warns developers about the risks of leaving credentials exposed in apps, indicating that the failure was a result of accidental decisions made during the coding process.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the articles was primarily due to development incompetence. Developers mistakenly coded credentials for accessing services provided by Twilio in at least 685 apps, putting millions of smartphone users at risk of having their calls and text messages intercepted by hackers [65591, 65054]. The mistakes were caused by developers not properly handling the credentials in the code, leading to a significant security vulnerability. (b) Additionally, the incident can also be categorized as accidental, as the errors in coding the credentials were not intentional but rather introduced accidentally by the developers during the development process [65591, 65054]. The accidental inclusion of sensitive credentials in the code exposed the apps to potential exploitation by hackers, highlighting the risks associated with improper coding practices.
Duration temporary The software failure incident reported in the articles was temporary. The incident was caused by a simple coding error in at least 685 mobile apps that put millions of smartphone users at risk of having their calls and text messages intercepted by hackers [Article 65591, Article 65054]. The vulnerability was due to developers mistakenly coding credentials for accessing services provided by Twilio Inc, which allowed hackers to access those credentials by reviewing the code in the apps and gain access to data sent over those services [Article 65591, Article 65054]. The issue was related to the improper coding or configuration of third-party services like Twilio, highlighting the new threats posed by the increasing use of such services [Article 65591, Article 65054].
Behaviour omission, other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. (b) omission: The incident involves a failure due to the system omitting to perform its intended functions at an instance(s). Developers mistakenly coded credentials for accessing text messaging, calling, and other services provided by Twilio in at least 685 apps, putting millions of smartphone users at risk of having their calls and text messages intercepted by hackers [Article 65591]. (c) timing: The incident does not involve a failure due to the system performing its intended functions correctly but too late or too early. (d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly. (e) byzantine: The incident does not involve a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident is related to a security vulnerability caused by developers mistakenly coding credentials into apps, leading to potential data interception by hackers [Article 65054].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the articles resulted in a situation where millions of smartphone users were at risk of having their calls and text messages intercepted by hackers due to a coding error in various apps. Hackers could access credentials for accessing text messaging, calling, and other services provided by Twilio, potentially gaining access to data sent over those services [65591, 65054]. This breach of security could lead to the compromise of sensitive information and data belonging to the users of the affected apps, impacting their property in terms of data security and privacy.
Domain information, utilities (a) The software failure incident affected the information industry as it involved a coding error in mobile apps that put smartphone users at risk of having their calls and text messages intercepted by hackers [65591, 65054]. (g) The incident also had implications for the utilities industry as Twilio, the service provider involved in the vulnerability, powers communications for more than 40,000 businesses worldwide, which likely includes utilities companies [65591]. (m) The software failure incident could be related to other industries beyond those explicitly mentioned, as it involved a common problem across third-party services, indicating a broader impact on various sectors that rely on such services for communication and functionality [65591, 65054].

Sources

Back to List