CVE-2024-39891
CVE-2024-39891
In short
Twilio's Authy app had a security weakness that let anyone check if a phone number was registered with Authy, without needing to log in. This exposed which phone numbers use Authy, though the actual accounts themselves weren't compromised.
Technical detail
An unauthenticated API endpoint in Authy Android (<25.1.0) and iOS (<26.1.0) allowed attackers to enumerate registered phone numbers by submitting requests containing phone numbers and receiving confirmation of registration status. This information disclosure vulnerability (CWE-203) was actively exploited in June 2024, enabling account enumeration attacks without requiring authentication.
Summary generated and translated by AI from the official description.
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cwe.mitre.org/data/definitions/203.htmlhttps://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891https://www.twilio.com/docs/usage/security/reporting-vulnerabilitieshttps://www.twilio.com/en-us/changelog