CVE-2024-39891: 
NixOS vulnerability analysis and mitigation

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. The vulnerability allowed attackers to verify whether specific phone numbers were registered with Authy by sending requests to an unsecured API endpoint (NVD, MITRE).

The vulnerability (CVE-2024-39891) has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The flaw involved an unauthenticated API endpoint that accepted streams of phone numbers and responded with information about whether each number was registered with Authy. The vulnerability is classified as CWE-203 (Observable Discrepancy) (NVD, CWE).

The vulnerability exposed phone numbers of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks. A threat actor compiled a list containing over 33 million phone numbers registered with the Authy service by exploiting this vulnerability (Bleeping Computer).

Twilio has secured the vulnerable API endpoint and no longer allows unauthenticated requests. Users are advised to upgrade to Authy Android version 25.1.0 or later and Authy iOS version 26.1.0 or later. Additionally, users should ensure their mobile accounts are configured to block number transfers without providing a passcode and be vigilant against potential SMS phishing attacks (Bleeping Computer).

The vulnerability was deemed significant enough to be added to CISA's Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by August 13, 2024 (CISA).