Eavesdropper is a code that leaves messaging apps on Android and iOS vulnerable
Security firm Appthority has discovered a data exposure exploit called Eavesdropper that impacts nearly 700 enterprise-based iOS and Android apps. The exploit is caused from including hard coded credentials in apps that use the Twilio Rest API or SDK, as all the metadata in the Twilio accounts such as text messages, call metadata and voice recordings can be accessed easily.
This can be risky to enterprises as hackers can easily obtain sensitive information such as pricing discussions, negotiations, market information, private recruiting calls, as well as propriety technology and product reports. As the files are unprotected, the hacker would only need to execute reconnaissance, exploitation and exfiltration to complete the hack. A basic script that converts audio files to text can be ran and the text can be searched for keywords with users' data.
Appthority first uncovered the exploit in April and informed Twilio in July about it. The affected apps had reduced to 102 in the iOS App Store and 85 in Google Play by the end of August. It is extremely important to exercise caution when you surf the web and share your data, as there are many cyber attacks that are just waiting to be carried out on unsuspecting victims.