Twilio Auth Token

ID

twilio_auth_token

Severity

critical

Vendor

Twilio

Family

API Key

Description

Twilio is a cloud communications platform that provides APIs for SMS, voice, video, and authentication services.

An Auth Token is a 32-character hex string with no prefix, used as the password in Basic Auth with the Account SID. It grants full access to the Twilio account and should be treated as a master credential.

Security

A leaked Twilio Auth Token could have serious security and financial implications:

  • Unauthorized sending of SMS messages, voice calls, or other communications, resulting in unexpected charges on your account.

  • Access to call logs, message history, and recordings that may contain sensitive customer data.

  • Ability to modify account configuration, including phone number routing and webhook URLs.

  • Potential to intercept or redirect two-factor authentication (2FA) messages.

  • Access to Twilio Verify, Authy, and other security services that could be used to compromise user accounts.

Examples

The following is an example of a leaked Twilio Auth Token:

TWILIO_AUTH_TOKEN=a1b2c3d4...c5d6
client = Client("ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "your_auth_token_here")

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically requires revoking the token.

    For Auth Tokens: Go to the Twilio Console > Account Settings and click "Rotate" next to your Auth Token. Update all applications using the old token.

    Leaked tokens should be immediately revoked. Do not simply disable them.

  2. Remove the leaked Auth Token from the source code or committed configuration file, and replace the usages with the new value. Environment variables, local files or secret vaults could be used for passing the credentials, instead of hardcoding the values, as documented in How to Prevent Hard-Coded Secrets.

  3. Check Twilio usage logs and call/message history to ensure that the token was not used by unintended actors during the compromised period.

  4. Follow best practices for securely handling Twilio Auth Tokens:

    • Never commit Auth Tokens to repositories.

    • Prefer API Keys over Auth Tokens for production applications, as API Keys can be individually revoked.

    • Use environment variables or secret managers.

    • Monitor API usage for unusual patterns.

    • Implement proper access controls and key rotation schemes.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference