2026-03-27 14:13:51
tenable
PUBLISHED
The Twilio integration webhook handler accepts any POST request without validating Twilios X-Twilio-Signature. When processing media messages, it fetches user-controlled URLs (MediaUrlN parameters) using HTTP requests that include the integrations Twilio credentials in the Authorization header. An attacker can forge a webhook payload pointing to their own server and receive the victims accountSID and authToken in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.