fix(security): add Twilio webhook signature validation [HIGH]#4688
Closed
Joshua-Medvinsky wants to merge 1 commit into
Closed
fix(security): add Twilio webhook signature validation [HIGH]#4688Joshua-Medvinsky wants to merge 1 commit into
Joshua-Medvinsky wants to merge 1 commit into
Conversation
The Twilio webhook handler at /webhooks/twilio accepted inbound POST requests without verifying the X-Twilio-Signature header. An attacker who discovers the webhook URL can forge requests with arbitrary From numbers, bypassing the SMS_ALLOWED_USERS allowlist and impersonating authorized users. Add _verify_twilio_signature() using Twilio's RequestValidator to validate every inbound request against the auth token. Requests with invalid or missing signatures are rejected with 403. Validation can be disabled via TWILIO_VALIDATE_SIGNATURES=false for local development. Reported-by: FailSafe Security Researcher Co-Authored-By: Joshua Medvinsky <joshua-medvinsky@users.noreply.github.com>
Author
Contributor
|
This vulnerability has been fixed in PR #7933 (merged). Thanks for identifying and reporting the issue, @Joshua-Medvinsky — your PR was one of the first to flag this. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Finding: Twilio Webhook Authentication Bypass
Severity: HIGH
Reported by: FailSafe Security Researcher
Component:
gateway/platforms/sms.py—_handle_webhook()Description
The Twilio webhook endpoint at
/webhooks/twiliodoes not validate theX-Twilio-Signatureheader. TheTWILIO_AUTH_TOKENis used for outbound API auth but never for inbound webhook verification. Any network-reachable attacker who discovers the webhook URL can forge requests with arbitraryFromnumbers, bypassingSMS_ALLOWED_USERSand impersonating authorized users.The webhook binds to
0.0.0.0with no signature validation or IP-based restriction. Twilio'sRequestValidatoris not imported or referenced anywhere in the file.Fix
_verify_twilio_signature()using Twilio's officialRequestValidatorto validate every inbound requestTWILIO_VALIDATE_SIGNATURES=falsefor local developmenttwiliopackage is not installed (logs warning, allows request)Test plan
TWILIO_VALIDATE_SIGNATURES=falsedisables validation for dev