By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Loaded a Spring Boot Application to AWS Elastic Beanstalk, my Twilio Account was hacked

0

Hello,

I developed a back-end web application that connects to a Twilio API so that my app can send users text message reminders. I developed it in Spring Boot and my .jar file had my sensitive twilio account information. I quickly moved it from my .jar file into environment variables on EB to make it more secure.

However, I found out yesterday that my twilio account was hacked and someone used account to send a lot of messages to/from Morocco (unclear exactly what happened).

Is there any possible way that my twilio account information was exposed when I uploaded my spring boot application to AWS elastic beanstalk?

Would love if anyone can help me get to the bottom of this as I can't figure out how my twilio account information was stolen.

Best, Sai

Topics
ComputeSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS Elastic BeanstalkAWS Security HubSecurity
Language
English
srachoor
asked 2 years ago333 views
2 Answers
1

Did you change your credentials used in Twilio and your app after the hack?

Once that's done then you can start looking for what happened. If you can nail down a timeline of when you realized they stole your twilio account credentials (when was the first bogus message sent from twilio and when was the first time you uploaded/deployed your jar that gives you a window). If you were working on fixing issues you might be able to narrow that window down to a time where the software worked to when twilio hack showed up. That timeline will help you look through these logs to see if you can spot anything suspicious.

Check the S3 bucket where your Jar file lives. Make sure that bucket is NOT public. You may have removed it from the jar file, but old versions still have those credentials in them. If someone got access to your bucket they could steal the credentials. Also if you take any backups of your system and those aren't encrypted if someone gets access to those backups they could steal the information in them.

I'd look through access logs on your site to see if you can pinpoint someone finding the credentials that way. Cloud trail is a pain in the butt, but it's the only way to see all of the api calls made by your account. Those are the two sources you might be able to find someone doing something bad. You may talk to Twilio to see if they can provide any additional forensic information like IP addresses for where those fraudulent messages came from the you might see those same IPs talking to your server or AWS account.

Good luck.

chubbsondubs
answered 2 years ago
  • srachoor
    2 years ago

    Thank you so much!

    I looked in my S3 buckets and it would appear that my one and only bucket was potentially available to the public. I went into the bucket, clicked on the "Permissions" tab, then clicked on "Edit" under "Block Public Access (bucket settings)" and selected Block all public access. I am assuming this is what caused the leak...

    Question about securing my API AUTH_TOKEN and API ACCOUNT_ID in EB -- what I did was go to my environment in EB, clicked on "Configuration", then I clicked on "Edit" under "Software" and then I added Environment Properties that mapped to the variable names in my application.properties file of my Spring Boot application. Am I do this correctly? Are these Environment Properties stored in S3 publicly too?

    How do I access my logs to see who accessed my S3 buckets? Sorry, any chance you have more detailed instructions on how to do that?

1

Firstly follow @chubbsondubs advice and reset your Twilio credentials and ensure the S3 bucket is private.

Elastic Beanstalk creates an Amazon S3 bucket and doesn't turn on default encryption. This means that by default, objects are stored unencrypted in the bucket but should only be accessible by authorised users. Elastic Beanstalk also applies a bucket policy to the buckets it creates to allow environments to write to the bucket.

Be aware that Elastic Beanstalk creates an application version whenever you upload source code. This usually occurs when you create an environment or upload and deploy code using the environment management console or EB CLI. Elastic Beanstalk deletes these application versions according to the application's lifecycle policy and when you delete the application. So its possible you still have older application versions residing in the bucket.

You can track who's accessing your bucket and objects in the following ways. Below options are not enabled by default:

  • S3 server access logging to see information about requests to your buckets and objects.
  • CloudTrail to track API calls to your Amazon S3 resources.

The following link explains the key properties of AWS CloudTrail logs and Amazon S3 server access logs Logging options for Amazon S3

Instead of using environment variables for secure credentials consider using the SSM Parameter Store/Secrets Manager which you can then fetch programmatically in your Elastic Beanstalk instance or through Elastic Beanstalk’s custom environment configuration files (.ebextensions).

Additional references that may be useful

RoB
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content