CVE-2024-39891 is a vulnerability in the Twilio Authy API affecting Authy Android versions prior to 25.1.0 and iOS versions prior to 26.1.0. The issue stems from an unauthenticated API endpoint that accepts a stream of phone numbers and responds with data indicating whether each number is registered with Authy. This endpoint does not require authentication or user interaction, allowing remote attackers to enumerate registered phone numbers. While the vulnerability does not expose account credentials or allow account takeover, it leaks sensitive metadata about user registration status. This information can be exploited by attackers for social engineering, targeted phishing, or to prioritize targets for further attacks. The vulnerability corresponds to CWE-203, which involves information exposure through discrepancies in system behavior. The flaw was actively exploited in the wild as of June 2024, indicating real-world risk. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the limited impact on confidentiality without affecting integrity or availability. No patches or mitigations were listed at the time of disclosure, but updating Authy to versions 25.1.0 (Android) and 26.1.0 (iOS) or later is expected to resolve the issue.

The primary impact of CVE-2024-39891 is the unauthorized disclosure of whether specific phone numbers are registered with the Authy two-factor authentication service. This leakage of user registration data compromises confidentiality but does not directly affect the integrity or availability of Authy accounts or services. However, the exposed information can facilitate targeted social engineering, phishing campaigns, or reconnaissance by attackers seeking to identify users who rely on Authy for authentication. Organizations using Authy for securing sensitive accounts may face increased risk of targeted attacks against their employees or customers. The vulnerability's ease of exploitation—requiring no authentication or user interaction—amplifies its threat potential. While no direct account compromise has been reported, the information disclosure could be a stepping stone for more sophisticated attacks. The impact is especially significant for organizations with high-value targets or those in sectors where phone-based authentication is prevalent.

To mitigate CVE-2024-39891, organizations and users should promptly update Authy Android clients to version 25.1.0 or later and Authy iOS clients to version 26.1.0 or later, where the vulnerability has been addressed. Network-level controls such as rate limiting and anomaly detection on API endpoints can help detect and block suspicious enumeration attempts. Organizations should monitor logs for unusual patterns of phone number queries against Authy services. Employing additional layers of authentication beyond phone number verification can reduce the risk posed by this information disclosure. Security teams should educate users about phishing and social engineering risks that may arise from leaked registration data. Finally, Twilio should be engaged to confirm patch availability and ensure secure API endpoint configurations to prevent unauthenticated access.