The vulnerability is caused by not following best security practices in the implementation of the Twilio Rest API or SDK. Many app developers hard coded credentials into their apps, even though Twilio's documented guidelines specifically ask not do to this. The result is that hundreds of apps can leak valuable data:
Appthority has discovered a significant data exposure vulnerability we’ve named Eavesdropper that affects almost 700 apps in enterprise environments. The vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK. By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings.The company says the app developers need to take proper measures to ensure the data is no longer at risk.
The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they’ve developed with the exposed credentials.