Tracked as CVE-2024-39891, the security defect is described as an information disclosure issue in the Twilio Authy API accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, and resides in an unauthenticated endpoint leaking phone number data.
“Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.),” a NIST advisory reads.
Twilio warned of this vulnerability on July 1, urging users to update to Authy Android version 25.1.0 and iOS App version 26.1.0.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said.
No Twilio systems were compromised and no other sensitive internal data was accessed as part of the identified attacks, the company said.
“As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks,” Twilio said.
Twilio’s alert came after the notorious ShinyHunters hackers announced in late June that they had leaked 33 million phone numbers associated with Authy.
On Tuesday, CISA added CVE-2024-39891 to KEV, urging federal agencies to identify vulnerable instances in their environments before August 13, in line with Binding Operational Directive (BOD) 22-01.
The agency also added CVE-2012-4792, a use-after-free in Internet Explorer leading to arbitrary code execution. The first reports regarding this bug’s exploitation are over a decade old.
While BOD 22-01 only applies to federal agencies, organizations of all types are advised to review CISA’s KEV list and address the vulnerabilities in it as soon as possible.
Related: Recent Adobe Commerce Vulnerability Exploited in Wild
Related: CISA Red Team Exercise Finds Critical Vulnerabilities in Federal Civilian Agency
Related: FDA, CISA: Illumina Medical Devices Vulnerable to Remote Hacking
Related: CISA Tells Orgs to Patch WatchGuard Flaw Exploited for Months Before Disclosure