CVE-2024-39891
published 2024-07-02CVE-2024-39891: In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-08-13
Exploited in the wild
EPSS
1.48%
70.6th percentile
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twilio | authy | < 26.1.0 | 26.1.0 |
| twilio | authy_authenticator | < 25.1.0 | 25.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated requests to the Twilio Authy API endpoint that accept a stream of phone numbers and return registration status — monitor for bulk enumeration patterns against the Authy API without authentication headers ↗
- →Flag unauthenticated API calls to Twilio Authy endpoints that include phone number parameters in the request body or query string, particularly in high-volume sequences indicative of enumeration ↗
- →Prioritize detection on Authy Android versions before 25.1.0 and Authy iOS versions before 26.1.0, as these versions communicate with the vulnerable unauthenticated API endpoint ↗
- ·Exploitation was confirmed in the wild in June 2024; Authy accounts themselves were not compromised — the vulnerability only exposed whether a phone number was registered with Authy (information disclosure, not account takeover) ↗
- ·Vendor advisory and changelog are available at the Twilio changelog URL referenced by CISA; detections should be validated against vendor-confirmed endpoint details from that source ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Twilio Authy Information Disclosure Vulnerability
cisa·2024-07-23·CVSS 5.3
CVE-2024-39891 [MEDIUM] CWE-203 Twilio Authy Information Disclosure Vulnerability
Vulnerability: Twilio Authy Information Disclosure Vulnerability
Affected: Twilio Authy
Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS; https://nvd.nist.gov/vuln/detail/CVE-2024-39891
Remediation Due Date: 2024-08-13
GHSA
GHSA-vg5j-h7r8-88x8: In the Twilio Authy API, accessed by Authy Android before 25
ghsa_unreviewed·2024-07-02
CVE-2024-39891 [MEDIUM] CWE-203 GHSA-vg5j-h7r8-88x8: In the Twilio Authy API, accessed by Authy Android before 25
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data. (Authy accounts were not compromised, however.)
VulnCheck
Twilio Authy Information Disclosure Vulnerability
vulncheck·2024·CVSS 5.3
CVE-2024-39891 [MEDIUM] CWE-203 Twilio Authy Information Disclosure Vulnerability
Twilio Authy Information Disclosure Vulnerability
Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.
Affected: Twilio Authy
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2024-39891; https://www.cve.org/CVERecord?id=CVE-2024-39891; https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024-08-13
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cwe.mitre.org/data/definitions/203.htmlhttps://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/https://www.twilio.com/docs/usage/security/reporting-vulnerabilitieshttps://www.twilio.com/en-us/changeloghttps://cwe.mitre.org/data/definitions/203.htmlhttps://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/https://www.twilio.com/docs/usage/security/reporting-vulnerabilitieshttps://www.twilio.com/en-us/changeloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891
2024-07-02
Published
2024-07-23
Added to CISA KEV
Exploited in the wild