In June 2024, a security issue (CVE-2024-39891) was discovered in the Twilio Authy API, which affected users of Authy Android before 25.1. and Authy iOS before 26.1.. The vulnerability lay in an unauthenticated endpoint that granted access to specific phone-number data and was actively exploited in the wild. This endpoint essentially allowed malicious actors to send a stream of requests containing phone numbers and receive relevant information on whether a phone number was registered with Authy. Though Authy accounts themselves were not compromised, this vulnerability opened the door for potential privacy concerns for users. In this long-read post, we'll analyze the CVE-2024-39891 vulnerability, delve into code snippets, and discuss the details of the exploit.

The Vulnerability

The Twilio Authy API is a public-facing application programming interface (API) that developers use to integrate Authy's two-factor authentication (2FA) services into their applications. The issue at hand involves an unauthenticated endpoint within the API - meaning that it can be accessed without providing the necessary credentials, essentially allowing anyone to access it.

The exploit in question leveraged this unauthenticated endpoint by sending a stream of phone numbers and receiving information about whether a specific number was registered with Authy. This allowed attackers to potentially build a database of Authy users and expose these users' phone numbers. Additionally, this could lead to social engineering attacks and spamming of Authy users by malicious actors who have access to this list.

Code Snippet

Let's look at an example of how an attacker could use this vulnerability to check whether a phone number is registered with Authy. The following sample API call demonstrates this:

GET /authy/api/check_phone_number?phone_number=123456789 HTTP/1.1
Host: api.example.com

In this example, the attacker sends a GET request to the /authy/api/check_phone_number endpoint with a phone number query parameter. The API should authenticate the user to access this endpoint; however, due to the vulnerability, it fails to do so and returns the information without any authentication.

Original References

Upon the discovery of this vulnerability, Twilio promptly acknowledged the issue and released updates for the affected Authy Android and Authy iOS applications. The following resources provided additional information about the CVE-2024-39891 vulnerability:

1. Twilio Security Advisory
2. CVE Details - CVE-2024-39891

The Exploit Details

As mentioned, the exploit utilizes the unauthenticated endpoint to gain information on whether phone numbers are registered with Authy or not. Using a large list of phone numbers, attackers could gather valuable intelligence about Authy users by sending multiple GET requests to the /authy/api/check_phone_number endpoint.

It's important to note that, while the phone number information was potentially exposed, the vulnerability didn't directly compromise Authy accounts. That being said, users are reminded to always remain vigilant and follow best practices to ensure their privacy and security.

Conclusion

CVE-2024-39891 represents a significant security vulnerability within the Twilio Authy API. By exploiting the unauthenticated endpoint, attackers could gather information on registered Authy users and potentially expose their phone numbers to scammers and other malicious actors. Although it didn't result in direct account compromises, users of the affected Authy Android and Authy iOS applications should update to the latest versions to ensure they're protected against this vulnerability. Being aware of such vulnerabilities and staying informed about security updates is crucial in safeguarding user privacy and security in an increasingly-connected digital world.

Timeline

Published on: 07/02/2024 18:15:03 UTC
Last modified on: 07/24/2024 14:38:43 UTC