[CVE-2024-39891] Twilio Authy Information Disclosure Vulnerability

NVD 상세 정보

설명: In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

CWE: CWE-203 | CWE-203

참조

• https://cwe.mitre.org/data/definitions/203.html [Technical Description]
• https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ [Press/Media Coverage]
• https://www.twilio.com/docs/usage/security/reporting-vulnerabilities [Product]
• https://www.twilio.com/en-us/changelog [Release Notes]
• https://cwe.mitre.org/data/definitions/203.html [Technical Description]
• https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/ [Press/Media Coverage]
• https://www.twilio.com/docs/usage/security/reporting-vulnerabilities [Product]
• https://www.twilio.com/en-us/changelog [Release Notes]
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891 [US Government Resource]