Many messaging apps these days offer users end-to-end encryption for their messages, meaning that these messages are protected from hackers who could still intercept them, but even if they did they wouldn’t be able to read them. However security is only as strong as its weakest link, something that has recently been demonstrated.According to a security report from Appthority (via Reuters), it seems that a coding error by developers has accidentally left hundreds of messaging apps vulnerable and could potentially expose private messages and calls. The exploit, which has been dubbed “Eavesdropper” is based on the Twilo Rest API or SDK, something that Reuters points out is highly coveted by hackers due to the fact that Twilo’s credentials are used in many apps used to send/receive messages and/or process phone calls.
Note that this vulnerability was not an error on Twilo’s end, but rather third-party developers who accidentally hard-coded user credentials into the app’s code, making it easy for hackers to steal user information. Appthority’s director of security research, Seth Hardy told Reuters, “This isn’t just limited to Twilio. It’s a common problem across third-party services. We often notice that if they make a mistake with one service, they will do so with other services as well.”
To their credit, Appthority has not listed all the apps that could be vulnerable, save for some that are now defunct, such as the AT&T Navigator mapping and GPS app. Twilo has confirmed to Reuters that the company has found no evidence that hackers have used the credentials to access customer data, and that they are working with developers to change credentials on affected accounts.