CVE-2024-39891 - OpenCVE

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Twilio	Authy Authy Authenticator

Configuration 1 [-]

OR	cpe:2.3:a:twilio:authy::::::iphone_os::*
	cpe:2.3:a:twilio:authy_authenticator::::::android::*

No data.

References

Link	Providers
https://cwe.mitre.org/data/definitions/203.html
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities
https://www.twilio.com/en-us/changelog

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-02T00:00:00

Updated: 2024-08-02T04:33:11.402Z

Reserved: 2024-07-02T00:00:00

Link: CVE-2024-39891

Vulnrichment

Updated: 2024-08-02T04:33:11.402Z

NVD

Status : Analyzed

Published: 2024-07-02T18:15:03.447

Modified: 2024-07-24T14:38:43.270

Link: CVE-2024-39891

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39891", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T04:33:11.402Z", "dateReserved": "2024-07-02T00:00:00", "datePublished": "2024-07-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423569"}, "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-203", "lang": "en", "description": "CWE-203 Observable Discrepancy"}]}], "affected": [{"vendor": "twilio", "product": "authy_2-factor_authentication", "cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "26.1.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "25.1.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T03:55:42.678226Z", "id": "CVE-2024-39891", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T16:20:22.549Z"}, "timeline": [{"time": "2024-07-23T00:00:00+00:00", "lang": "en", "value": "CVE-2024-39891 added to CISA KEV"}]}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities", "tags": ["x_transferred"]}, {"url": "https://www.twilio.com/en-us/changelog", "tags": ["x_transferred"]}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.402Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39891", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T03:55:42.678226Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-07-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"], "vendor": "twilio", "product": "authy_2-factor_authentication", "versions": [{"status": "affected", "version": "0", "lessThan": "26.1.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "25.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T18:29:13.344Z"}, "timeline": [{"lang": "en", "time": "2024-07-23T00:00:00+00:00", "value": "CVE-2024-39891 added to CISA KEV"}]}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/203.html"}, {"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"url": "https://www.twilio.com/en-us/changelog"}, {"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}], "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T22:07:07.423569"}}}, "cveMetadata": {"cveId": "CVE-2024-39891", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:33:11.402Z", "dateReserved": "2024-07-02T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-02T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-08-13", "cisaExploitAdd": "2024-07-23", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Twilio Authy Information Disclosure Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "F645AEA3-6ACC-4386-ACA9-793E66DBF31E", "versionEndExcluding": "26.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*", "matchCriteriaId": "07B60ED3-2C9B-46F8-9B6C-1FFB46067D06", "versionEndExcluding": "25.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"}, {"lang": "es", "value": "En la API de Twilio Authy, a la que acced\u00eda Authy Android antes de 25.1.0 y Authy iOS antes de 26.1.0, un endpoint no autenticado proporcionaba acceso a ciertos datos de n\u00fameros de tel\u00e9fono. (Sin embargo, las cuentas de Authy no se vieron comprometidas)."}], "id": "CVE-2024-39891", "lastModified": "2024-07-24T14:38:43.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2024-07-02T18:15:03.447", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/203.html"}, {"source": "cve@mitre.org", "tags": ["Press/Media Coverage"], "url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"}, {"source": "cve@mitre.org", "tags": ["Product", "Release Notes"], "url": "https://www.twilio.com/en-us/changelog"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}