July 24, 2024 at 10:42AM
CISA added a recent Twilio Authy bug, tracked as CVE-2024-39891, to its Known Exploited Vulnerabilities catalog due to an information disclosure issue. Twilio warned of the vulnerability and urged users to update to versions 25.1.0 for Android and 26.1.0 for iOS. No Twilio systems were compromised, and CISA urged vulnerable instance identification before August 13.
Summary:
The US Cybersecurity and Infrastructure Security Agency (CISA) has included a recent Twilio Authy bug, tracked as CVE-2024-39891, in its Known Exploited Vulnerabilities catalog. This security defect, an information disclosure issue, affects Authy Android versions before 25.1.0 and Authy iOS versions before 26.1.0. It involves an unauthenticated endpoint leaking phone number data, although Authy accounts themselves were not compromised. Twilio has urged users to update to the latest versions of the Android and iOS apps to address the vulnerability.
CISA has also added another vulnerability, CVE-2012-4792, related to Internet Explorer, to its KEV list and has issued a directive (BOD 22-01) for federal agencies to identify vulnerable instances in their environments before August 13. While this directive specifically applies to federal agencies, all organizations are encouraged to review CISA’s KEV list and address the vulnerabilities promptly.
Additionally, organizations should be aware of the potential for threat actors to use leaked phone numbers for phishing and smishing attacks, as highlighted in Twilio’s alert after the ShinyHunters hackers leaked 33 million phone numbers associated with Authy accounts.
CISA’s activities have been focused on identifying and addressing critical vulnerabilities, including those in widely used software and services such as Adobe Commerce and Internet Explorer.