Comment by darkr
2 years ago
This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).
It took them two years to fix it.
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint
Isn’t it what you are describing?
Based on the reports that I’ve read so far, this vuln was different to the one I found, which was on an authenticated endpoint.
Definitely some similarities though, I’d love to see some concrete technical information on it.