Appthority has discovered a significant data exposure vulnerability we’ve named Eavesdropper that affects almost 700 apps in enterprise environments. The vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK. By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings.
Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain. Although Appthority has not extensively analyzed the recordings out of respect for privacy, due to the nature of the apps we believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data.