Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free
  • By Security
    Apache Log4j の脆弱性に対するTwilioの対応 Header log4j response JP

    この記事は、こちら(英語)で執筆した記事を日本語化したものです。

    日本語化にあたっては、日本時間2021年12月15日の朝9時過ぎの記事内容を基にしています。英語オリジナル記事にその後追記や修正があった場合、日本語版では必ずしも追随できていない可能性があることに予めご留意ください。

    Twilioは、弊社製品とお客様のデータのセキュリティが最も重要であると考えており、そのセキュリティを脅かす可能性のあるインシデントが発生した場合には、可能な限りお客様にその事実をお伝えしています。そのため、先日発見されたJavaのログ出力ライブラリLog4jのゼロデイ脆弱性への対応について、以下に概要を説明いたします。

    これまでの経緯

    2021年12月9日、Apacheは、同社の人気JavaロギングライブラリLog4jにリモートコード実行(RCE)の脆弱性(CVE-2021-44228)があることを一般に公開しました(一覧CVE-2021-44228)。同CVEの概要を確認した後、Twilioはセキュリティインシデントに対する対応プロセスを開始し、Twilio*への潜在的な影響を評価するとともに、該当の脆弱性を悪用した攻撃が仮りに行われた場合の修復措置を速やかに開始しました。(* SendGrid EmailやSegment CDPを含みます。)

    弊社のこれまでの対応

    その後の調査で、影響を受けるLog4jのバージョンのTwilio環境における利用状況を評価・特定しました。現在Twilioは、これら影響を受けるLog4jのバージョンをできるだけ早く修正する …

    Read More
  • By Security
    Twilio’s Response to the Log4J Vulnerability Header log4j response

    Twilio has fully remediated the Log4j vulnerability. You may read further to see how we responded during the event.

    Twilio believes that the security of our products and our customers’ data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it. To that end, we wanted to provide an overview of our response to the recently discovered zero-day vulnerability in the Java logging library Log4j.

    What happened?

    On December 9, 2021, Apache publicly disclosed a remote code execution (RCE) vulnerability (CVE-2021-44228) in its popular Java logging library, Log4j. Upon identification of the security advisory, Twilio began its security incident response process to evaluate the potential impact to Twilio, inclusive of its SendGrid and Segment products as well as its subsidiaries, and promptly begin steps to remediate any exposure.

    What have we done?

    Our subsequent investigation evaluated and identified usage of the …

    Read More
  • By Security
    Details on Misconfigured Kubernetes NodePorts Misconfigured Kubernetes NodePorts

    UPDATE 2021-07-26: Through further investigation, we have updated the cause of the exposure. Our investigation found that the cause of the exposure was a misconfigured Kubernetes network policy. See below for additional details.

    Twilio believes that our customers’ trust in us and the security of our products is of paramount importance, and when an event occurs that might threaten that security, we tell you about it. To that end, we wanted to provide an overview of the impact we experienced from a recently discovered server misconfiguration issue and how we managed that event.

    What happened?

    On June 18, 2021, a security researcher responsibly disclosed that they were able to access internal data on several Twilio SendGrid Kubernetes cluster node hosts. Twilio's security team quickly identified and mitigated the misconfiguration that led to the exposure, and started remediation efforts according to our incident response procedures.

    Our investigation found that the …

    Read More
  • By Security
    Codecovの脆弱性に対するTwilioの対応 Codecov Post Header JP

    この記事は英語版ブログ記事(2021/5/4掲載)の抄訳です。

    Twilioでは、自社製品とお客様のデータの安全性が何よりも重要であると考えており、この安全性を脅かす可能性のあるインシデントが発生した際には至急、かつ速やかに報告を行うことにしています。これを受け、先日明らかになったCodecovの脆弱性によるTwilioへの影響と対応状況について、概要をお伝えいたします。

    事象の内容

    2021年4月15日、Codecovがセキュリティ事象を公表しました。その内容は、攻撃者がBash Uploaderコンポーネントを改ざんし、継続的インテグレーション(CI)のパイプライン環境に保存された情報のエクスポートを可能にしたというものでした。TwilioはCodecovからこの事象の発生報告を受け、直ちに自社のセキュリティインシデント対応プロセスを開始しました。Twilioでは、Bash Uploaderコンポーネントを含むCodecovツールを使用していますが、該当するプロジェクトやCIパイプラインはごく少数です。また、該当するプロジェクトやCIパイプラインは、TwilioのコミュニケーションAPIに対するアップデートや機能の提供におけるクリティカルパスには含まれていません。

    続いて実施した今回の影響調査の結果、何者かがごく少数のメールアドレスを抜き出した可能性が高いことが判明しました。Twilioでは、この影響を受けた方々に個別に報告するとともに、晒された可能性のある認証情報の徹底的な再調査とローテーション(変更)を行い、さらなる流出の可能性を防ぐための修正を …

    Read More
  • By Security
    Twilio’s Response to the Recent Codecov Vulnerability Codecov Post Header

    Twilio believes that the security of our products and our customers’ data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it. To that end, we wanted to provide an overview of the impact we experienced from the recently disclosed Codecov vulnerability and how we managed that event.

    What happened?

    On April 15, 2021, Codecov publicly disclosed a security event where an attacker modified the Bash Uploader component which enabled the attacker to potentially export information stored in continuous integration (CI) environments. Twilio was notified of the event by Codecov and immediately began our security incident response process. We have Codecov tools, including the Bash Uploader component, in use in a small number of our projects and CI pipelines. These projects and CI pipelines are not in the critical path to providing updates or functionality to our communication APIs.

    Our subsequent …

    Read More
  • By Security
    Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020 Incident Report_ TaskRouter July 2020.png

    Twilio believes the security of our customers’ accounts is of paramount importance and when an incident occurs that might threaten that security, we tell you about it.

    What happened?

    On Sunday July 19th, we became aware of a modification that had been made to a Javascript library that we host for our customers to include in their applications. A modified version of the TaskRouter JS SDK was uploaded to our site at 1:12 PM PDT (UTC-07:00). We received an alert about the modified file at approximately 9:20 PM PDT and replaced it on our site around 10:30 PM PDT. The modified version may have been available on our CDN or cached by user browsers for up to 24 hours after we replaced it on our site.

    The TaskRouter JS SDK is a library that allows customers to easily interact with Twilio TaskRouter, which provides an attribute-based routing engine that routes …

    Read More
  • By Security
    7 Ways To Secure Your Account Jjb7K7gWFgzRVaHJrWGl3hmupmw29IcGiD-MtUFWQltm5pJyDHgGU9lPWOMFkcLbifE4guKJS4R3YwDNyl1BawkphlEt_tuWrdfDXSbkNnLhzTLSU7fRrm4QsnLyACVB9KnHBARF

    Security threats come in from all angles, and keeping track of them all is a constant challenge.

    There are many links that attackers can target in the communication chain — the link between you and your network, your passwords and tokens, and other sensitive places and information. If your Twilio account is compromised, it can result in massive fraudulent charges, blocked phone numbers, loss of customer trust, and more.

    Here are seven best-practices you can follow to keep your Twilio account — or any account — safer.

    Keep your passphrases strong

    First and foremost, use strong passphrases.

    What does that mean these days? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier to remember password. That’s why Twilio requires at least 14 characters but has no “special character” requirements.

    It should go without saying: don’t share your passwords and don’t …

    Read More
  • By Security
    Security Update On SSL Certificate Validation Twilio Bug Logo

    Over the past couple months, Twilio has been testing additional safeguards and checks around SSL certificate validation. During the week of October 12th 2015, we deployed a change to our HTTP proxies to validate SSL certificates. This feature is enabled by default for all new accounts. We have deployed a change to our Account Portal so developers can choose to enable this validation.

    What is the purpose of this safeguard?

    The purpose of the certificate validation process is to prevent Man-in-the-Middle attacks on HTTPS connections.

    How does this safeguard impact me?

    This change impacts customers who use HTTPS endpoints to receive requests from Twilio. If certificate validation is enabled and you are using a self-signed, expired, mis-matched domain or a certificate not issued by a trusted-certificate authority*, HTTP requests to your application from Twilio will fail, which will result in a error notification. Error notifications are available …

    Read More
  • Newer
    Older
    Sign up and start building
    Not ready yet? Talk to an expert.