External risk intelligence

Authy API Information Disclosure Vulnerability

CVE advisoryKnown Exploit

CVE-2024-39891

An unauthenticated endpoint in the Twilio Authy API allowed attackers to determine if phone numbers were registered with Authy, potentially enabling targeted attacks like phishing or SIM swapping. This vulnerability was exploited in the wild. Affected systems include Authy Android and iOS applications. The business ris

5Halo Surface Signal

Twilio Authy

before 26.1.0before 25.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2024-39891

The vulnerability exists in a public-facing API endpoint designed to accept and process requests from the internet. As a core component of a widely used authentication service, this API is by design exposed to the public internet to facilitate verification processes, making it a classic example of a public-facing network service.

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated endpoint within the Twilio Authy API could be accessed by attackers. This vulnerability allows attackers to determine if a given phone number is registered with Authy. The impact of this flaw is the potential exposure of phone number registration data, which could assist attackers in targeting individuals.

Authy API endpoint
Information disclosure weakness
Exposure of phone number data

Attack Path

How an attacker could exploit the issue

This vulnerability in the Authy API allows attackers to determine which phone numbers are registered with the Authy service. Attackers can leverage this information to target specific users or to gain intelligence for further malicious activities. The exposure stems from an unauthenticated API endpoint that processes phone number requests.

Public API endpoint exposed.
Attacker sends phone numbers.
Endpoint confirms Authy registration.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated endpoint in the Twilio Authy API, accessed by Authy Android before version 25.1.0 and Authy iOS before version 26.1.0, allowed attackers to determine if a phone number was registered with Authy. This vulnerability was exploited in the wild in June 2024. While Authy accounts were not compromised, this information disclosure could pose a business risk.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: Medium

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Twilio Authy API has an unauthenticated endpoint that can disclose information about registered phone numbers. This vulnerability, identified as CVE-2024-39891, could be used by attackers to check phone numbers against the Authy service. While Authy accounts were not compromised, the exposure of phone number registration status presents a business risk.

Identify Authy applications and API usage.
Isolate or block affected API endpoints.
Update Authy applications and monitor.

Frequently asked questions

What is the Authy API and what is it used for?

The Authy API is a service provided by Twilio that allows applications to integrate with the Authy authentication system. It is used to verify phone numbers and check if they are registered with Authy, which is often a component of multi-factor authentication processes.

What kind of weakness does CVE-2024-39891 represent in the Authy API?

CVE-2024-39891 is classified as an information disclosure vulnerability, specifically falling under the CWE-203 category. This means the API endpoint revealed sensitive information—whether a phone number is registered with Authy—to unauthorized parties.

What is needed for an attacker to exploit CVE-2024-39891?

An attacker needs network access to the Authy API endpoint. No authentication is required, meaning an attacker can simply send requests with phone numbers to the vulnerable endpoint and receive a response indicating registration status.

How concerning is CVE-2024-39891 for my organization?

This vulnerability is considered very likely to be internet-facing because it involves a public API endpoint designed for external communication. If your organization uses Authy for authentication, this could pose a risk as attackers can gather intelligence on registered phone numbers.

What are the first steps to address CVE-2024-39891?

First, identify where and how your organization uses Authy applications and their API. Then, consider isolating or blocking access to the affected API endpoints if possible, and ensure all Authy applications are updated to the latest versions.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.