Overview
- Description
- In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
- Source
- cve@mitre.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
Known exploits
Data from CISA
- Vulnerability name
- Twilio Authy Information Disclosure Vulnerability
- Exploit added on
- Jul 23, 2024
- Exploit action due
- Aug 13, 2024
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*",
"vulnerable": true,
"matchCriteriaId": "F645AEA3-6ACC-4386-ACA9-793E66DBF31E",
"versionEndExcluding": "26.1.0"
},
{
"criteria": "cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*",
"vulnerable": true,
"matchCriteriaId": "07B60ED3-2C9B-46F8-9B6C-1FFB46067D06",
"versionEndExcluding": "25.1.0"
}
],
"operator": "OR"
}
]
}
]