Twilio Authy Information Disclosure Vulnerability
Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.
A remote attacker, without authentication, can achieve partial data exposure. Federal agencies are required to remediate by 2024-08-13 under CISA BOD 22-01.
This is a Software Vulnerability (CWE-203) (CWE-203) vulnerability in Twilio Authy. In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.) Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://cwe.mitre.org/data/definitions/203.html
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References