Lucene search

AttackerKBAKB:7DD434A2-0183-47B1-9405-597C309FDB6B

HistoryJul 02, 2024 - 12:00 a.m.

CVE-2024-39891

2024-07-0200:00:00

attackerkb.com

twilio authy

api

unauthenticated endpoint

authy android

authy ios

phone-number data

security vulnerability

cve-2024-39891

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

JSON

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Recent assessments:

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39891

cwe.mitre.org/data/definitions/203.html

www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

www.twilio.com/docs/usage/security/reporting-vulnerabilities

www.twilio.com/en-us/changelog

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

JSON

Related for AKB:7DD434A2-0183-47B1-9405-597C309FDB6B