Hacker News new | past | comments | ask | show | jobs | submit login

This incident points to something much more severe. What role was this employee(s) whose credentials were compromised? How did these credentials allow even an employee to get plain text auth codes being sent out to end users? Such a permission should be extremely limited in who it is granted to.



I suspect many Twilio support reps need access to outgoing SMS, because manually looking over those will be an important component of handling a "someone is using your service for spamming" complaint.


I disagree. They would not need to access the full contents of outgoing SMS to perform this duty. For example they could see the auth codes masked.


How would Twilio know what portion of the outgoing SMS was auth codes?

Are you proposing they add an API where senders can annotate part of their message as private? (Not a bad idea...)


Are you familiar with their API? We use their SMS auth service at my employer. Twilio is the one composing the outbound message including auth code. The API caller is not providing Twilio with an auth code and phone number. Twilio 100% knows which portion of the outgoing SMS is the auth code.


sorry, not familiar with an Auth API. About 5 years ago I worked at a company that used their API, but we just used it as a service for sending texts to specific numbers. (And mostly we used different services, because it was more expensive than our other options)

Do we know that Signal was using the Twilio Auth product and not something custom on top of Twilio?


We do know. Check the texts you’ve gotten while signing into Signal. You’ll notice that they originate from short codes (like 22395) that are also used by other services like Discord, square pay, just to name two.

Furthermore, it still doesn’t matter whether Signal was using their authy service or not. There should be very tight data controls at Twilio where few employees would ever be able to retrieve clear text messages being sent to end users.

This incident is not getting nearly the attention it should imho.


Wouldn't the spammers then just mark 100% of their spam as private?


grep [0-9]+ should cover enough of the problem space.


Totally agree. The message content should be private and not accessible by employees. Kind of scary when you think that so many 2FA codes are sent via Twilio.


Exactly. A malicious employee could login as any user to popular services like WhatsApp, Telegram and others that are SMS auth only, simply by knowing which endpoint to hit to kickoff an auth session initiation. I hope I am not understanding this exploit correctly. This would be a massive failure on Twilio part to allow employees access to the auth code.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: