Twilio API Key

ID

twilio_api_key

Severity

high

Vendor

Twilio

Family

API Key

Description

Twilio is a cloud communications platform that provides APIs for SMS, voice, video, and authentication services.

An API Key SID (SK prefix) is used with an API Key Secret for production API access via HTTP Basic Auth.

Security

A leaked Twilio API Key could have serious security and financial implications:

  • Unauthorized sending of SMS messages, voice calls, or other communications, resulting in unexpected charges on your account.

  • Access to call logs, message history, and recordings that may contain sensitive customer data.

  • Ability to modify account configuration, including phone number routing and webhook URLs.

  • Potential to intercept or redirect two-factor authentication (2FA) messages.

  • Access to Twilio Verify, Authy, and other security services that could be used to compromise user accounts.

Examples

The following is an example of a leaked Twilio API Key:

TWILIO_API_KEY=SK1a2b3c...5c6d

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically requires revoking the key.

    For API Keys: Go to the Twilio Console > API Keys, find the compromised key, and click "Delete this key". Create a new API key and update your applications.

    Leaked keys should be immediately revoked. Do not simply disable them.

  2. Remove the leaked Twilio API Key from the source code or committed configuration file, and replace the usages with the new values. Environment variables, local files or secret vaults could be used for passing the credentials, instead of hardcoding the values, as documented in How to Prevent Hard-Coded Secrets.

  3. Check Twilio usage logs and call/message history to ensure that the credentials were not used by unintended actors during the compromised period.

  4. Follow best practices for securely handling Twilio API Keys:

    • Never commit API Key Secrets to repositories.

    • Use API Keys instead of Auth Tokens for production applications.

    • Use environment variables or secret managers.

    • Monitor API usage for unusual patterns.

    • Implement proper access controls and key rotation schemes.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference