CVE-2024-39891 Information

Description

In the Twilio Authy API accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0 an unauthenticated endpoint provided access to certain phone-number data as exploited in the wild in June 2024. Specifically the endpoint accepted a stream of requests containing phone numbers and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised however.)

Reference

https://cwe.mitre.org/data/definitions/203.html https://www.twilio.com/docs/usage/security/reporting-vulnerabilities https://www.twilio.com/en-us/changelog https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/