Botpress – Credential Disclosure via Twilio Webhook Handler

27/03/2026

The Twilio integration webhook handler accepts any POST request without validating Twilio’s ‘X-Twilio-Signature’.

When processing media messages, it fetches user-controlled URLs (‘MediaUrlN’ parameters) using HTTP requests that include the integration’s Twilio credentials in the ‘Authorization’ header.

An attacker can forge a webhook payload pointing to their own server and receive the victim’s ‘accountSID’ and ‘authToken’ in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

Joshua Martinelle Fri, 03/27/2026 – 10:01
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Botpress – Credential Disclosure via Twilio Webhook Handler

Latest article

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk

Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations

EDITOR PICKS

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

Security posture improvement in the AI era

Metasploit Wrap-Up 05/01/2026

Windows shell spoofing vulnerability puts sensitive data at risk