CVE-2024-39891 is a vulnerability in the Twilio Authy API that affects Android versions prior to 25.1.0 and iOS versions prior to 26.1.0. The flaw lies in an unauthenticated API endpoint that accepts a stream of phone numbers and responds with information indicating whether each number is registered with Authy. This endpoint does not require authentication or user interaction, allowing remote attackers to enumerate registered users by submitting lists of phone numbers. Although the vulnerability does not expose sensitive account credentials or allow direct account compromise, it leaks user registration status, which can be leveraged for targeted phishing, social engineering, or further reconnaissance. The vulnerability was actively exploited in the wild as of June 2024, demonstrating its practical impact. The weakness corresponds to CWE-203 (Information Exposure Through Discrepancy). The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact and ease of exploitation. No patches are explicitly linked in the provided data, but updating to Authy Android 25.1.0+ and iOS 26.1.0+ versions is recommended. The vulnerability affects all users of the vulnerable Authy app versions globally, with no requirement for authentication or user interaction, increasing the attack surface. The scope is limited to information disclosure without integrity or availability impact.

For European organizations, the primary impact is the exposure of whether specific phone numbers are registered with Authy, which could facilitate targeted social engineering, phishing campaigns, or reconnaissance activities against employees or customers. While no direct account compromise occurs, attackers can use this information to craft more convincing attacks or identify users of two-factor authentication services, potentially undermining security postures. Organizations relying on Authy for multi-factor authentication (MFA) may see increased risk of targeted attacks exploiting this leaked information. The vulnerability does not affect the integrity or availability of systems but compromises confidentiality to a moderate degree. This could lead to reputational damage if attackers leverage the data for successful attacks. The exploitation ease and lack of authentication requirements increase the likelihood of scanning and enumeration attacks. European entities with large user bases or high-value targets may be more attractive to attackers leveraging this vulnerability.

1. Immediately update Authy Android clients to version 25.1.0 or later and iOS clients to version 26.1.0 or later to ensure the vulnerable endpoint is no longer accessible. 2. Monitor network traffic and logs for unusual patterns of API requests that may indicate enumeration attempts, such as high volumes of phone number queries. 3. Implement rate limiting and anomaly detection on API endpoints to detect and block mass enumeration attempts if you operate services integrating with Authy. 4. Educate users and employees about phishing and social engineering risks, emphasizing vigilance even if MFA is in use. 5. Consider additional layers of authentication or verification for sensitive operations beyond relying solely on Authy registration status. 6. Coordinate with Twilio support or security teams for any additional patches or mitigations if applicable. 7. Review and update incident response plans to address potential phishing or social engineering attacks leveraging leaked registration data.