CVE-2024-39891

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-39891
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://cwe.mitre.org/data/definitions/203.html Technical Description
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ Press/Media Coverage
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities Product
https://www.twilio.com/en-us/changelog Release Notes
https://cwe.mitre.org/data/definitions/203.html Technical Description
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ Press/Media Coverage
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities Product
https://www.twilio.com/en-us/changelog Release Notes
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*
History

20 Dec 2024, 16:15

Type Values Removed Values Added
References () https://www.twilio.com/en-us/changelog - Product, Release Notes () https://www.twilio.com/en-us/changelog - Release Notes

21 Nov 2024, 09:28

Type Values Removed Values Added
Summary (es) En la API de Twilio Authy, a la que accedía Authy Android antes de 25.1.0 y Authy iOS antes de 26.1.0, un endpoint no autenticado proporcionaba acceso a ciertos datos de números de teléfono. (Sin embargo, las cuentas de Authy no se vieron comprometidas). (es) En la API de Twilio Authy, a la que accedían Authy Android antes de la versión 25.1.0 y Authy iOS antes de la versión 26.1.0, un endpoint no autenticado proporcionaba acceso a determinados datos de números de teléfono, como se explotó en junio de 2024. En concreto, el endpoint aceptaba un flujo de solicitudes que contenían números de teléfono y respondía con información sobre si cada número de teléfono estaba registrado en Authy. (Sin embargo, las cuentas de Authy no se vieron comprometidas).
References () https://cwe.mitre.org/data/definitions/203.html - Technical Description () https://cwe.mitre.org/data/definitions/203.html - Technical Description
References () https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ - Press/Media Coverage () https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ - Press/Media Coverage
References () https://www.twilio.com/docs/usage/security/reporting-vulnerabilities - Product () https://www.twilio.com/docs/usage/security/reporting-vulnerabilities - Product
References () https://www.twilio.com/en-us/changelog - Product, Release Notes () https://www.twilio.com/en-us/changelog - Product, Release Notes

24 Jul 2024, 14:38

Type Values Removed Values Added
CPE cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*
cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*
First Time Twilio authy
Twilio
Twilio authy Authenticator
References () https://cwe.mitre.org/data/definitions/203.html - () https://cwe.mitre.org/data/definitions/203.html - Technical Description
References () https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ - () https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ - Press/Media Coverage
References () https://www.twilio.com/docs/usage/security/reporting-vulnerabilities - () https://www.twilio.com/docs/usage/security/reporting-vulnerabilities - Product
References () https://www.twilio.com/en-us/changelog - () https://www.twilio.com/en-us/changelog - Product, Release Notes

03 Jul 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-02 18:15

Updated : 2024-12-20 16:15

NVD link : CVE-2024-39891

Mitre link : CVE-2024-39891

CVE.ORG link : CVE-2024-39891

JSON object : View

Products Affected

twilio

  • authy_authenticator
  • authy
CWE
CWE-203

Observable Discrepancy