In terms of privacy nightmares, this one is pretty bad: a glaring security flaw in a popular iPhone call recorder app would have literally made anyone listen to a user’s recordings if they knew their target’s phone number.
Call Recorder claims to have over a million downloads worldwide. This makes it all the more concerning that the app’s security flaws seem to have been so easily discovered by Anand Prakash, a security researcher and founder of Pingsafe AI. Prakash recently shared his findings with TechCrunch
Apps like Call Recorder are quite a popular way to keep track of business related meetings and calls, although they do has raised significant concerns about privacy and security because of the way they store such sensitive data in the cloud. Generally app data storage via cloud services can be a pretty dubious proposition if that storage does not have the proper protection.
In this particular case, access to Call Recorder’s cloud bucket – and thus thousands of saved phone calls – can be easily prevented by exploiting a gaping security hole.
After creating an account with the app, Prakash found that he could access and manipulate internet traffic traveling to and from the app using a common penetration testing program. From there, he found that if he replaced the phone number he registered with Call Recorder with another number, the app would send that user’s data to his phone, including saved phone calls and associated metadata.
G / O Media can receive a commission
“The vulnerability allowed any malicious actor to listen to a user’s call recording from the application’s cloud storage bucket and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data,” Prakash writes
After Prakash contacted the app developer, a new, secure version of Call Recorder was relaunched on Saturday. TechCrunch reports that at the time of patching, approximately 300 gigabytes of data or “more than 130,000 audio recordings” were stored in Call Recorder’s cloud bucket.
We’ve reached out to the app developer for comment and will update this post when we hear back.