CVE-2024-39891 - Vulnerability Details - OpenCVE

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Twilio	Authy Authy Authenticator

Configuration 1 [-]

OR	cpe:2.3:a:twilio:authy::::::iphone_os::*
	cpe:2.3:a:twilio:authy_authenticator::::::android::*

No data.

References

Link	Providers
https://cwe.mitre.org/data/definitions/203.html
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities
https://www.twilio.com/en-us/changelog

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-02T00:00:00

Updated: 2024-08-02T04:33:11.402Z

Reserved: 2024-07-02T00:00:00

Link: CVE-2024-39891

Vulnrichment

Updated: 2024-08-02T04:33:11.402Z

NVD

Status : Analyzed

Published: 2024-07-02T18:15:03.447

Modified: 2024-12-20T16:15:33.687

Link: CVE-2024-39891

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39891", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T04:33:11.402Z", "dateReserved": "2024-07-02T00:00:00", "datePublished": "2024-07-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423569"}, "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-203", "lang": "en", "description": "CWE-203 Observable Discrepancy"}]}], "affected": [{"vendor": "twilio", "product": "authy_2-factor_authentication", "cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "26.1.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "25.1.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T03:55:42.678226Z", "id": "CVE-2024-39891", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T16:20:22.549Z"}, "timeline": [{"time": "2024-07-23T00:00:00+00:00", "lang": "en", "value": "CVE-2024-39891 added to CISA KEV"}]}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39891", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T03:55:42.678226Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T18:29:13.344Z"}, "timeline": [{"lang": "en", "time": "2024-07-23T00:00:00+00:00", "value": "CVE-2024-39891 added to CISA KEV"}]}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423569"}}}, "cveMetadata": {"cveId": "CVE-2024-39891", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:33:11.402Z", "dateReserved": "2024-07-02T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-02T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-08-13", "cisaExploitAdd": "2024-07-23", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Twilio Authy Information Disclosure Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "F645AEA3-6ACC-4386-ACA9-793E66DBF31E", "versionEndExcluding": "26.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*", "matchCriteriaId": "07B60ED3-2C9B-46F8-9B6C-1FFB46067D06", "versionEndExcluding": "25.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}, {"lang": "es", "value": "En la API de Twilio Authy, a la que acced\u00edan Authy Android antes de la versi\u00f3n 25.1.0 y Authy iOS antes de la versi\u00f3n 26.1.0, un endpoint no autenticado proporcionaba acceso a determinados datos de n\u00fameros de tel\u00e9fono, como se explot\u00f3 en junio de 2024. En concreto, el endpoint aceptaba un flujo de solicitudes que conten\u00edan n\u00fameros de tel\u00e9fono y respond\u00eda con informaci\u00f3n sobre si cada n\u00famero de tel\u00e9fono estaba registrado en Authy. (Sin embargo, las cuentas de Authy no se vieron comprometidas)."}], "id": "CVE-2024-39891", "lastModified": "2024-12-20T16:15:33.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-02T18:15:03.447", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/203.html"}, {"source": "cve@mitre.org", "tags": ["Press/Media Coverage"], "url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.twilio.com/en-us/changelog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/203.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.twilio.com/en-us/changelog"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}