Botpress Twilio Webhook Handler Credential Disclosure Vulnerability

A vulnerability in the Twilio integration webhook handler of Botpress allows for credential disclosure. The webhook handler processes POST requests without validating Twilio's 'X-Twilio-Signature'. When handling media messages, it retrieves user-controlled URLs specified in the 'MediaUrlN' parameters. These requests include the integration's Twilio credentials in the 'Authorization' header. An attacker can exploit this by sending a forged webhook payload that points to their own server, thereby intercepting the victim's 'accountSID' and 'authToken' in plaintext, encoded in base64 as Basic Auth. This exposure can lead to a full compromise of the Twilio account.

Impact

Exploitation of this vulnerability allows attackers to gain access to Twilio account credentials, including the 'accountSID' and 'authToken', in plaintext. This could result in unauthorized actions being performed on behalf of the victim's Twilio account, potentially leading to further security breaches or misuse of Twilio services.