Gluu would like to provide this bulletin to advise our community about the recent attacks on Twilio the suggested OTP SMS service configured through oxAuth and Casa.
Affects all Gluu 3.X and 4.X versions with Twilio SMS
Gluu provides a sample script in oxAuth that facilitates sending a one-time passcode through the Twilio Service for authentication. It has come to our attention that a recent attack on Twilio on August 8th allowed a potentially harmful actor access to phone numbers and OTP numbers to services like Okta and Authy. You can read the article here: Twilio breach let hackers see Okta’s one-time MFA passwords (bleepingcomputer.com)
This information could be used to impersonate the service, attempt a man-in-the-middle attack, or perform a phishing attack on users.
Gluu and Twilio both suggest reducing the Geo permissions restricting your geographic region to just your area via the Messaging Geographic Permissions Page. To further mitigate the threat, notify your users to update the phone numbers or remove any unused phone numbers through Casa. Finally, Gluu strongly suggests using Gluu’s free push-based authentication called Super Gluu or any FIDO2-enabled token or mobile application.