computer Security

Vulnerability in Million Times Downloaded iPhone app Let Attacker Listen to any User’s Call Recording

The “Automatic call recorder” application is one of the popular applications used by iPhone users to record their calls. The app is among top-grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.

PingSafe AI, a security company that monitors multiple breaches in real-time, has uncovered a critical vulnerability in the iPhone automatic call recorder application that exposed thousands of users’ recorded calls.

The Call Recorder app-enabled third-parties to access a user’s entire library of recordings, just by knowing their phone number. Apple doesn’t offer call recording as a stock feature on the iPhone, so those wishing to do so easily need an app to facilitate the function.

Features of the Automatic Call Recorder App

  • Organize recordings files into categories
  • Edit recording audio
  • Upload recordings to slack
  • Upload recordings to Google Drive, Dropbox, Onedrive
  • Speech-to-text recording audios in over 50 languages

In the Call Recorder application, users can record

  • Incoming/outgoing calls
  • Domestic/international calls
  • With/without an internet connection

Vulnerability Details and Fixes Available

The security researcher Anand Prakash of PingSafe AI was able to sniff out the flaw using a proxy to replace his phone number with the number of another user. This enabled him to listen to recordings at will.

“The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data.”, said the researcher from PingSafe.

An attacker can pass another user’s number in the recordings request and the API will respond with the recording URL of the storage bucket without any authentication. It also leaks the victim’s entire call history and the numbers on which calls were made.

The Bug is fixed and the new version is made live on App Store. The app was updated on March 6, 2021, with TechCrunch pointing out the release “patch a security report,” so it appears this takes care of the vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

View Comments

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

1 hour ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

3 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

5 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

5 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

9 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

10 hours ago