Unauthenticated Endpoint Exposed Phone-Number Data
CVE-2024-39891
Key Information:
- Vendor
- Twilio
- Status
- Vendor
- CVE Published:
- 2 July 2024
Badges
Summary
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
News Articles
Security AffairsCVE-2024-39891U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog.
The Hacker NewsCVE-2024-39891CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List
CISA adds two security vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies to address them by August 13, 2024.
Organizations Warned of Exploited Twilio Authy Vulnerability
CISA warns of the in-the-wild exploitation of CVE-2024-39891, a Twilio Authy bug leading to the disclosure of phone number data.
References
EPSS Score
18% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📰
First article discovered by SecurityWeek
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published