CVE-2024-39891

Twilio Authy Information Disclosure Vulnerability

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

En la API de Twilio Authy, a la que accedía Authy Android antes de 25.1.0 y Authy iOS antes de 26.1.0, un endpoint no autenticado proporcionaba acceso a ciertos datos de números de teléfono. (Sin embargo, las cuentas de Authy no se vieron comprometidas).

Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-02 CVE Reserved
2024-07-02 CVE Published
2024-07-23 Exploited in Wild
2024-08-02 CVE Updated
2024-08-13 KEV Due Date
2024-10-17 EPSS Updated
---------- First Exploit

CWE

CWE-203: Observable Discrepancy

CAPEC

References (4)

URL	Tag	Source
https://cwe.mitre.org/data/definitions/203.html	Technical Description
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers	Media Coverage
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities	Product
https://www.twilio.com/en-us/changelog	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Twilio Search vendor "Twilio"		Authy Search vendor "Twilio" for product "Authy"				< 26.1.0 Search vendor "Twilio" for product "Authy" and version " < 26.1.0"		iphone_os		Affected
Twilio Search vendor "Twilio"		Authy Authenticator Search vendor "Twilio" for product "Authy Authenticator"				< 25.1.0 Search vendor "Twilio" for product "Authy Authenticator" and version " < 25.1.0"		android		Affected