A popular iPhone call recording app exposed the recordings of thousands of users data, a security researcher has found.
The Call Recorder app contains a security vulnerability that enabled third-parties to access a user’s entire library of recordings, just by knowing their phone number. Apple doesn’t offer call recording as a stock feature on the iPhone, so those wishing to do so easily
Noted security researcher Anand Prakash of PingSafe AI was able to sniff out the flaw using a proxy to replace his phone number with the number of another user. This enabled him to listen into recordings at will.
The app makers proudly claim the app has been downloaded over 1 million times, and says it was a top 20 business app in 20 countries.
“An attacker can pass another user’s number in the recordings request and the API will respond with recording url of the storage bucket without any authentication,” the researcher wrote. “It also leaks victim’s entire call history and the numbers on which calls were made.”
He added: “The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data.”
The shocking vulnerability has now been closed off, and it is not known whether the flaw was exploited in the wild, beyond Prakash’s discovery.
The app developer has not yet commented on the discovery, but Trusted Reviews has contacted the company seeking more details. The app was last updated on Sunday, with TechCrunch pointing out the release “patch a security report,” so it appears this is what took care of the vulnerability.
Are you a Call Recorder user? Will you halt your usage of the app following this report? Let us know @trustedreviews on Twitter.