Security researchers from Appthority have discovered that several app developers wrongly coded credentials for accessing services provided by Twilio Inc. Hackers were able to access those credentials by reviewing the code in the applications, then gain access to data (such as calling and texting) sent over those services
Appthority said that they have discovered over 700 applications with the security risk, including 170 affected apps are still available on Google Play store and the Apple App Store, which means that millions of users around the world are currently at risk.
According to Appthority:
“We’ve called this vulnerability Eavesdropper because providing the Twilio account ID and Twilio account token (password) hardcoded in the app creates a vulnerability that exposes call record metadata, recorded call audio, as well as text messages. The accessible records are not limited to those of the user of the vulnerable app, but include all records associated with the developer’s Twilio account for that app and other apps created by that developer. “
Researchers also said that by obtaining the account credentials from the source code of the affected applications, malicious attackers could have obtained access to millions of calls and text messages. North America, the United Kingdom, and Australia are the most affected areas.