Back to KEVs

CVE-2024-39891

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to...

Basic Information

CVE State
PUBLISHED
Reserved Date
July 02, 2024
Published Date
July 02, 2024
Last Updated
August 02, 2024
Vendor
n/a
Product
n/a
Description
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

CVSS Scores

CVSS v3.1

5.3 - MEDIUM

Vector: CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2024-07-23 00:00:00 UTC) Source

References

https://cwe.mitre.org/data/definitions/203.html https://www.twilio.com/docs/usage/security/reporting-vulnerabilities https://www.twilio.com/en-us/changelog https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-07-23 00:00:00 UTC