Organizations Warned of Exploited Twilio Authy Vulnerability

In a significant cybersecurity alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a vulnerability in Twilio’s Authy service that is currently being exploited in the wild. This vulnerability, identified as CVE-2024-39891, is categorized as an information disclosure issue that affects the Twilio Authy API, particularly versions of the Authy application on Android prior to 25.1.0 and iOS before 26.1.0.

The vulnerability resides within an unauthenticated endpoint capable of leaking sensitive phone number data. According to a National Institute of Standards and Technology (NIST) advisory, the endpoint was vulnerable to a stream of requests that contained phone numbers, responding with information on whether each phone number was registered with Authy. It is crucial to note that while the accounts themselves were not compromised, the potential for misuse of the disclosed phone numbers remains a significant concern.

Twilio first alerted users to this vulnerability on July 1, urging immediate updates to the latest versions of the Authy application. The company stated, “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.” They emphasized that no internal systems were compromised during the attacks.

As a precautionary measure, Twilio has recommended that all users of Authy update their applications to the latest versions available on Android and iOS. This is particularly important as threat actors may attempt to exploit the disclosed phone numbers for phishing and smishing attacks, putting users at risk.

The urgency of this alert has been amplified by the recent actions of the ShinyHunters hacker group, which announced in late June that they had leaked 33 million phone numbers linked to Authy accounts. This incident has raised alarms about the potential for increased targeting of individuals whose phone numbers have been exposed.

In response to this situation, CISA has added CVE-2024-39891 to its Known Exploited Vulnerabilities (KEV) catalog. The agency is urging federal agencies to identify and mitigate vulnerable instances in their environments before the deadline of August 13, as part of Binding Operational Directive (BOD) 22-01. While this directive is primarily aimed at federal agencies, all organizations are encouraged to review the KEV list and address identified vulnerabilities promptly.

In addition to the Twilio vulnerability, CISA has also included CVE-2012-4792, a long-standing use-after-free vulnerability in Internet Explorer that could lead to arbitrary code execution. This particular vulnerability has been known for over a decade, with reports of exploitation dating back to its discovery.

Organizations across various sectors are advised to take these warnings seriously and implement necessary updates and security measures. By doing so, they can protect themselves from potential threats posed by these vulnerabilities and safeguard sensitive information from unauthorized access.

As cyber threats continue to evolve, vigilance and prompt action are essential in maintaining the security of digital infrastructures. The ongoing collaboration between organizations and cybersecurity agencies is crucial in identifying and mitigating vulnerabilities before they can be exploited by malicious actors.