The developers of the open messenger Signal have disclosed information about a targeted attack aimed at gaining control over the accounts of some users. The attack was carried out by hacking the Twilio service used by Signal to organize the sending of SMS messages with confirmation codes. Data analysis showed that the Twilio hack could have affected about 1900 phone numbers of Signal users, for which the attackers were able to re-register phone numbers on another device, and then receive or send messages for the associated phone number (access to the history of past correspondence, profile information and address information). book could not be retrieved because such information is stored on the user's device and is not transmitted to the Signal servers).
Between the time of the hack and the blocking of the compromised employee account used for the attack by the Twilio service, activity was observed on the 1900 phone numbers that were associated with registering an account or sending a verification code via SMS. At the same time, having gained access to the Twilio service interface, the attackers were interested in specific three Signal user numbers, and at least one of the phones was able to be tied to the attackers' device, judging by the complaint received from the owner of the affected account. Signal sent SMS notifications about the incident to all users potentially affected by the attack and unregistered their devices.
Twilio was hacked using social engineering techniques that allowed attackers to lure one of the company's employees to a phishing page and gain access to his customer support account. In particular, the attackers sent SMS messages to Twilio employees with a warning about account expiration or information about a schedule change, to which a link was attached to a fake page stylized as a single sign-on interface to Twilio utility services. According to Twilio, by connecting to the helpdesk interface, the attackers managed to gain access to data associated with 125 users.
Source: opennet.ru
