Connect with us

Hi, what are you looking for?

Tech & Science

Message received: Hackers exploit communications firm vulnerability

It appears that in late June 2024, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers.

Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP
Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP

Hackers have exploited an unsecured API endpoint in Twilio to verify millions of Authy users’ phone numbers, leaving them vulnerable to SMS phishing and SIM swapping attacks.

It appears that in late June 2024, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.

Authy is an app that deals with multi-factor authentication. It generates codes that are sent to phones, which then allow users to access a particular website. Looking into the issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence.

Kent begins by detailing what has happened: “As the standard script for breaches in the API era, Twilio is next on stage. We have shown over and over that an API Endpoint that accepts data and gives responses on that data, needs to be covered with both Authentication and Authorization or someone will abuse the endpoint.”

In terms of the specific case there are technological challenges and unusual patterns, as Kent recounts: “This example is an interesting one because its starts where you might not expect. As you attach a device to the Authy service they rely heavily on that devices phone number. Their systems are very interested in this number and obviously there are many endpoints that accept the number, and my guess is, if the number doesn’t exist there is an error.”

Kent says tellingly: “If the number does exist there is either a lack of error or some other way of knowing.”

In terms of the implications, Kent goes on to explain: “So, if I want to take over someone’s account that is using Authy’s MFA, I need to know what number they used to sign that account up with and perform a SIM swap to get the MFA code sent to the new phone. This is a reverse attack where the MFA service provider was able to validate the numbers first, now the SIM swapping attacks can commence.”

This creates a precarious situation: “Twilio has since put authentication on the endpoint in question, but it is still unknown if anyone has bought the 33 million records lost in the data dump.”

In terms of advice, Kent puts forward: “If you are an Authy user, you are advised to understand that that MFA service, for your account, may be compromised and any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Entertainment

On September 17th, British pop singer-songwriter Calum Scott performed at the 2024 Common Sense Media Awards, which were held at the Ziegfeld Ballroom in...

Business

In the form of bottles, tyres, packaging and piping, millions of tonnes of plastic waste are dumped every year in the world's waterways.

Life

California is second in the ranking of the U.S. states people want to move from the most, with 658 movers per capita.

Business

YouTube beefed up tools for creators as it competes with streaming rivals such as Netflix on the biggest screen in most homes: the television.