CVE-2024-39891

Name of the Vulnerable Software and Affected Versions Twilio Authy Android versions prior to 25.1.0 Twilio Authy iOS versions prior to 26.1.0

Description The issue concerns an unauthenticated endpoint in the Twilio Authy API that provided access to certain phone-number data. This endpoint accepted a stream of requests containing phone numbers and responded with information about whether each phone number was registered with Authy. The issue was exploited in the wild in June 2024, but Authy accounts were not compromised. The vulnerability is related to information disclosure due to inconsistency.

Recommendations For Twilio Authy Android versions prior to 25.1.0, update to version 25.1.0 or later to resolve the issue. For Twilio Authy iOS versions prior to 26.1.0, update to version 26.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the unauthenticated endpoint in the Twilio Authy API until a patch is applied.