Twilio response to Voxox data breach
On Friday, November 16, 2018, Twilio became aware of an incident regarding Voxox, a wholesale SMS provider, in which an unsecured database was accessible to the internet and exposed details of SMS messages and the companies that sent them. Media articles report that many of these SMS messages contained sensitive information such as authentication passcodes and delivery tracking numbers linking to unauthenticated details on the web. The vulnerability was uncovered by security researcher Sébastien Kaul.
Trust is a top priority for Twilio. We take issues like this very seriously and quickly sought to understand the impact of this incident for Twilio’s customers. This blog post details our findings and will be updated if any new information comes to light.
Upon learning of this incident, Twilio triggered our incident response process to examine whether or not this wholesale SMS provider, Voxox, was in use by the Twilio ...
Welcome the 2018 Doers
At SIGNAL, we inducted a new cohort of builders to the Doers Hall of Fame.
The Doers Hall of Fame recognizes members of the Twilio community who have driven transformative impact through strategic use of communications.
“The most inspiring thing about Twilio is the innovation that comes from our community,” said Jeff Lawson, co-founder and CEO of Twilio. “Each year, we celebrate those exemplary community members who are paving the way for the future of communications by building things we never imagined. I’m thrilled to induct the latest class to the Twilio Hall of Doers at this year’s SIGNAL event. We can’t wait to see what they build next.”
This year’s inductees include:
Streetwide - Founders Fred Diego and Alicia Nieves created a distributed call center technology that partners with local community organizations to help undocumented immigrants who are facing ICE raids and deportation. The Twilio-powered helpline ...
#SIGNALConf Recap from @VogueAndCode
We've shared a lot about SIGNAL, our customer and developer conference, over the last couple of weeks, but we thought it would be great to share the experience from someone else’s shoes, so we invited our friend April Speight to share about her experience. Here’s what she had to say:
I had only learned about Twilio a few months ago when I was invited to an for event TwilioQuest. I didn't know just how easy it was to use Twilio's APIs! Since then, I've been hooked on learning more about what others are doing within the Twilio community. However, as a new user, I wasn't sure as to where to start. After much expressed interest and genuine curiosity to learn more, I received an invite to attend SIGNAL under the SIGNAL 2018 Scholarship program. That changed everything!
Diversity & Inclusion: A Sense of Belonging At Twilio
Twilio is changing how people feel about going to work and is well on its way to becoming a prime example of a workplace where people can do the best work of their careers, and where diverse talent is not only sought after, it’s embraced and nurtured.
The company has taken its workplace diversity and inclusion commitment a step further by setting some ambitious goals around recruiting, equitable pay and promotions, and cultivating a company-wide sense of belonging. In fact, when Twilio celebrates its 15th anniversary in 2023, it's aiming for every Twilion to feel that they belong.
Twilio believes that having a diverse workforce brings unique ideas to new prototypes. And when employees feel included, not only will exceptional talent come to the company, they’ll be happier and stay longer. “You can spend a lot of money on just recruiting and bringing people through the door; but ...
Evolving Our Trusted Bounty Program: Twilio Adds Safe Harbor to Bug Bounty
Founded by engineers, Twilio has always sought to cultivate a diverse internal engineering culture while enabling a strong external community. Since its founding 10 years ago, Twilio has provided scalable services and empowered over 2 million developers to build great things on our platform.
Twilio is dedicated to providing our customers with a trusted platform where their data is protected. While we have a skilled security team working hard to accomplish this goal, we have seen the positive effects of crowdsourcing proactive help from external security researchers, spurred on by our bug bounty program, to improve our systems of protection.
Hackers act as “the Internet’s immune system” when they find vulnerabilities and responsibly disclose them to the correct parties before they are maliciously exploited by those with ill intentions. When responsible and seasoned hackers find these issues, all users of the platform benefit. Twilio launched its bounty program in ...
How to Mitigate Interception of TOTP via Compromised Voicemail
It’s common today to use a phone number as part of a user’s profile to increase confidence the account is not fraudulent and to implement two-factor authentication (2FA) to help reduce account takeovers. However, any authentication or verification mechanism will attract attackers who will try to abuse it, and they get very creative when it comes to legacy technologies that use telephones.
Twilio offers two APIs which are designed to simplify phone verification (Verify) and two-factor authentication (Authy). Both APIs support the ability to verify or authenticate users via a phone call. This article explains how voicemail can be abused for these use cases and how Verify and Authy provide protection against attack.
Time-based one-time passwords (TOTPs), temporary passcodes used to authenticate users, are commonly used for 2FA. Even if a user's primary password is compromised, an attacker cannot gain access to the application without the ...
A Developer’s Guide to Responding to National Security Letters
When the FBI Shows Up at Your Office with an NSL
When you receive thousands of requests from law enforcement each year, it’s actually not a surprise when a representative from the FBI shows up at your office to deliver a request for information. There are no cloaks or daggers involved, just a sealed manila envelope.
The San Francisco FBI office is very familiar with working with tech companies and will reach out with a call or email to find a time to stop by. If parking is bad – like it often can be around the Twilio office – the FBI representative might even be willing to hand you the request right on the street.
So receiving government requests for information can be a fairly administrative, straightforward process.
But as we outlined in a blog post in July, National Security Letters are unusual for requests because they’re steeped in ...
Announcing the Twilio Transparency Report
Twilio Publishes Two National Security Letters as Part of Second Half 2017 Transparency Report
Today, Twilio is publishing our sixth semi-annual transparency report detailing total volume of government requests for information received by Twilio, how Twilio responded to such requests and how Twilio notified users of such requests.
Twilio’s transparency report for the second half of 2017 reflects a continued increase in the number of requests for information received from international government agencies. In the second half of 2017, Twilio received 1581 government requests for user information from government agencies in 24 countries.
In the United States, Twilio reports receiving 340 requests from federal, state and local agencies. These requests include two National Security Letters that Twilio sought and obtained permission to publish.
- You can view our most recent transparency report for the second half of 2017 on the Twilio Transparency Reporting page.
- You can download the Transparency Report ...
Regarding Mobile Apps with Hard-coded API Keys
A security report recently announced that Android and iOS apps were discovered to contain hard-coded Twilio credentials, meaning the data from the associated Twilio accounts were potentially at risk of exposure to bad actors. The Twilio platform itself remains secured and un-compromised, and we have no evidence that data from any of the apps was accessed by an unauthorized party. Nonetheless, we’d like to offer our community some clarity on what exactly transpired.
When a developer makes a request to Twilio’s REST API, they have to pass along secret credentials, or API keys, to authenticate their account. If a developer exposes those keys into the public, someone can come along and access that developer’s Twilio account. It’s like leaving your car keys in an unlocked car — once someone realizes you’ve made the mistake they can drive your car wherever they want.
One way ...
Twilio and “Friend-to-Friend Invitations”
Many apps nowadays send out invite messages to a user’s contacts in order to get that user’s friends on the platform — I mean, hey, if your user thinks your product is cool, why not encourage them to tell their friends about it? Apps that do friend-to-friend invites typically access the end user’s contact list to find phone numbers of their friends and partially or fully automate the process of sending out the invitations to those friends as text messages. In a lot of cases (and certainly if you’re using a platform like Twilio to send these), the friend will receive the text messages from a phone number provided by the app, rather than directly from the end user’s phone number. As a result, these messages may be perceived as spam by the user’s friends. Uh oh.
Let’s dive into how you avoid this ...